Re: PROBLEM: AES cryptoloop corruption under recent -mm kernels

From: Mark Borgerding
Date: Fri Jan 16 2004 - 12:11:38 EST


James Morris wrote:

On Fri, 16 Jan 2004, Mark Borgerding wrote:



From looking through the cryptoloop code, it looks like the IV for CBC
mode is always the sector index. It seems this could be weak against
chosen plaintext attacks, as well as allowing an attacker to know which
cipher blocks started any changes between two snapshots of the
ciphertext. I discuss ECB, since I wouldn't consider using it.



Eli Biham has suggested encrypting the sector numbers, see
http://people.redhat.com/jmorris/crypto/cryptoloop_eli_biham.txt



- James



This does not defend against a dictionary attack.

The IV is still deterministic for a given sector and hypothesized password. Thus the ciphertext for a given plaintext at that sector is still deterministic.

Thinking of it another way, this is equivalent to CBC mode having two IVs: the first one being the sector number, the second a block of zeros.


- Mark

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/