Re: [PATCH] Delete cryptoloop
From: Fruhwirth Clemens
Date: Sat Jul 24 2004 - 07:43:09 EST
On Wed, 2004-07-21 at 22:16, James Morris wrote:
> This patch deletes cryptoloop, which is buggy, unmaintained, and
> reportedly has mutliple security weaknesses. Dropping cryptoloop should
> also help dm-crypt receive more testing and review.
Short version:
Remove cryptoloop || mark as deprecated.
Long version:
First, dm-crypt and cryptoloop share the same on-disk format. There is
absolutely no security gain by switching to dm-crypt.
Second, modern ciphers like Twofish || AES are designed to resist
known-plaintext attacks. This is basically the FUD spread by Jari Rusuu.
But, due to a recent discussion on sci.crypt, I have been convinced that
there is in fact a security gain by obscuring the IV. To be precise, if
an attacker is able to find two identical cipher blocks on disk, he will
be able to deduce the plain text difference. The chance p that two
blocks are equal is p=1/2^128 for 128 bit block ciphers. If one of these
blocks happens to be zero this is quite bad. The chance that there are
no identical cipher blocks on a disk is given by p^(n(n-1)/2) with n =
numbers of sectors on disk. Anyone with a little bit math intuition can
see this terms will approach 0 quite quick. So it is likely that some
information is revealed.
This situation will not be cured by switching to dm-crypt, since
dm-crypt suffers from the same kind of problem. Although personally, I
neglect this security threat.
However, I do recommend that cryptoloop is removed from the kernel || is
declared deprecated for the following reasons:
- There is no suitable user space tool ready to use it. util-linux has
been broken ever since. My patch key-trunc-fix patch has to be applied
to make any use of losetup. Further I'm not going to submit patches to
this project to fix user space problems (see below)
- I'm not going to submit patches to cure the security problems of
cryptoloop pointed out in the first few paragraphs,
- dm-crypt is a stable alternative and can be easily immigrated to with
the help of my little lotracker tool:
http://clemens.endorphin.org/lo-tracker
So much for cryptoloop.
I'd like to point out that in the most cases the key deduction scheme is
more likely the weakest component in a hard disk encryption setup. For
those interested: http://clemens.endorphin.org/TKS1-draft.pdf points to
the problems connect with HD encryption. This paper is the groundwork
for my Linux Unified Key Setup project http://clemens.endorphin.org/LUKS
. Here, you will find patches for cryptsetup (the losetup equivalent to
losetup). I'm working with Christophe Saout to integrate LUKS into
cryptsetup in the near future.
Regards,
--
Fruhwirth Clemens <clemens@xxxxxxxxxxxxx> http://clemens.endorphin.org
Attachment:
signature.asc
Description: This is a digitally signed message part