Re: [PATCH] Delete cryptoloop
From: Marc Ballarin
Date: Mon Jul 26 2004 - 17:08:44 EST
Fruhwirth Clemens <clemens-dated-1091709927.ed82 <at> endorphin.org> writes:
> To summarize for an innocent bystander:
>
> - The attacks you brought forward are in the best case a starting point
> for known plain text attacks. Even DES is secure against this attack,
> since an attacker would need 2^47 chosen plain texts to break the cipher
> via differential cryptanalysis. (Table 12.14 Applied Cryptography,
> Schneier). First, the watermark attack can only distinguish 32
> watermarks. Second, you'd need a ~2.000.000 GB to store 2^47 chosen
> plain texts. Third, I'm talking about DES (designed 1977!), no chance
> against AES.
>
>From what I understand now, this exploit is solely based on the weakness of
dm-crypt's/cryptoloops IV generation.
The difference in bit patterns between the first and second half of the
watermark block compensates partly for the trivially and predictably changing
IV beetween two successive sectors.
As Jari eplained, this causes *any* cipher to produce two identical blocks of
ciphertext (after all the input is identical).
This is also, why this exploit requires a minimum filesystem block size of 1kB
for good reliability.
> - The weaknesses brought forward by me are summarized at
> http://clemens.endorphin.org/OnTheProblemsOfCryptoloop . Thanks goes to
> Pascal Brisset, who pointed out that cryptoloop is actually more secure
> than I assumed.
>
If my understanding is correct, an improved and unpredictable IV generation -
- as needed anyway for the vulnerability described at
http://clemens.endorphin.org/OnTheProblemsOfCryptoloop -
*should* protect against this watermarking as well. So both problems can be
fixed together and rather easily.
Regards
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/