Re: [PATCH] Delete cryptoloop

From: Marc Ballarin
Date: Sun Jul 25 2004 - 14:49:26 EST


Fruhwirth Clemens <clemens-dated-1091642568.f246 <at> endorphin.org> writes:

>
> That's no exploit. Where is the exploit?
> http://www.google.com/search?q=jargon%20exploit
> When you're there, you can look up the term ``backdoor'' as well.

We can, of course, discuss terminology, yet the problem remains the same.

>
> Probably I'm missing the point, but at the moment this looks like a
> chosen plain text attack. As you know for sure, this is trivial. For
> instance, AES asserts to be secure against this kind of attack. (See the
> author's definition of K-secure..).

It assures against key revovery through chosen plain text attacks. As written
before, the purpose of this attack is not to break encryption, but to prove
the existence of a file *known to* and *prepared by* the attacker.

The exploit generates a rather simple bit pattern with a size of 1024 bytes.
When this pattern - the watermark - is encrypted, dm-crypt's output has some
special properties - independent of cipher or key size.
For example, encoding nr. 1, always produces a cyphertext block, where bytes
0-15 are equal to bytes 512-523.

If you cannot believe this, please try yourself. I did so a few hours ago.

On dm-crypt's mailing list, I have given a description how this can be refined
easily to improve reliability of detection and determine a file's layout on
the encrypted volume.

Regards




-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/