Re: Hi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Feb 18, 2003 at 11:07:29PM +0000, David Woodhouse wrote:
> On Tue, 2003-02-18 at 16:34, Erik Mouw wrote:
> > > Actually i want to convert ext2 to into a encryped file system.
> > > for this purpose i want to do that,
> > 
> > I already explained you that for security reasons this functionality
> > should be in the block layer, not in the filesystem layer.
> 
> Why?

File level encryption gives an attacker information about the files on
your system.

Suppose I can get hold of your disk and I want to know if you are
subscribed to linux-kernel. I just mount the disk, and if I find a file
called "dwmw2/Mail/linux-kernel", it gives me a large hint you are
indeed subscribed. No, I can't decrypt the file, but that wasn't my
purpose. I do however know the file metadata, like the filename, the
owner, modification time, length, etc.

So I know you are subscribed to linux-kernel. I can't read the file,
but that's not necessary because I can also get the plain text of the
linux-kernel mailing list, which is enough to do a known plaintext
attack on your cipher. How hard that is depends of course on the cipher
and your key, but given enough computerpower it is possible to crack
your key.

The way to solve this is to encrypt at the block level. In that way I
can't even mount the filesystem when I don't have the correct key, so I
can't get to the file metadata. Sure, I could guess you're using ext3,
but that still leaves too many uncertainties (like directory layout and
filesystem usage) for an attacker to be able to crack your key. A brute
force attack will succeed (maybe not in the estimated lifetime of the
universe), but it's a lot harder than a brute force known plain text
attack.

Interesting to note is that NTFS supports file level encyption, but
nobody actually uses it. People who need encrypted files usually buy a
third party product that encrypts at the block level.


Erik

-- 
J.A.K. (Erik) Mouw
Email: J.A.K.Mouw@its.tudelft.nl  mouw@nl.linux.org

Attachment: pgp00322.pgp
Description: PGP signature


[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux