On 01/18/2014 12:26 PM, Will Morrison wrote: > This patch adds support for GCM as a cipher mode in eCryptfs. If a file > is encrypted in this mode, the layout of the lower file will change to > accomodate it. This is due to the need to store auth tags as well as > encrypted data. Using a stream cipher mode like GCM without choosing a new random IV for every write will destroy eCryptfs's security. In GCM, the ciphertext is simply XORed with a key stream generated by encrypting a counter. This means that the first time you write an extent, you get: ciphertext1 = keystream ^ plaintext1 The second time you write to that extent (without changing the IV, which I believe is not done), you get: ciphertext2 = keystream ^ plaintext2 An attacker can XOR ciphertext1 with ciphertext2 to get: ciphertext1 ^ ciphertext2 = plaintext1 ^ plaintext2 Which reveals them lots of information about the plaintext. Other disk encryption software all use block modes like CBC-ESSIV or XTS to prevent this. See also the "Security Audit" thread. -- Taylor Hornby -- To unsubscribe from this list: send the line "unsubscribe ecryptfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
