Re: Fwd: Practical malleability attack against CBC-Encrypted LUKS partitions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/22, Milan Broz wrote:
> Below is very nice example of another "Evil maid" type attacks,
> here directly applied to LUKS CBC disks.
> 
> I think it clearly shows known rule:
> If you let your machine out of your sight, it is no longer your machine.
> 
> What is important (and blog mentions it)
> 
> "It has already been known for a long time that CBC does not prevent
> a malleability attack (targeted manipulation of encrypted data) given
> that the attacker can modify the ciphertext and knows the corresponding
> plaintext as well."

Even more important, in this particular case, is that this "practical
malleability attack" isn't actually very practical at all:

    "In the following I assume that we already have access to the
    original plaintext and the ciphertext of one file on the system and
    that we want to do our manipulations in this file:"

There are a number of other assumptions and variables that must be "just right"
in order for this attack to have even a remote chance of working, e.g.:

    "This code can be executed from a Live CD against the encrypted
    partition of an Ubuntu 12.04 installation. The position of the
    /bin/dash file needs to be adjusted by doing a reference
    installation with the same disk layout on a sufficiently similar
    hardware."

> BTW blog doesn't mention that CBC is no longer default mode for cryptsetup
> and was replaced by XTS mode.

The original post to f-d [0] that you forwarded does mention this:

    "This code can be executed from a Live CD against the encrypted
    partition of an Ubuntu 12.04 installation. The position of the
    /bin/dash file needs to be adjusted by doing a reference
    installation with the same disk layout on a sufficiently similar
    hardware. [...] When choosing to encrypt the system with the Ubuntu
    12.10 installer, the encryption is set up with mode aes-xts-plain64,
    which is not vulnerable to this attack."

It's certainly interesting from a technical perspective but this is
simply not very feasible.

/p

[0]: http://archives.neohapsis.com/archives/fulldisclosure/2013-12/0187.html

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux