[dm-crypt] Fwd: Practical malleability attack against CBC-Encrypted LUKS partitions

/dev/ph0b0s phobos at panopticism.net
Mon Dec 23 00:07:24 CET 2013


On 12/22, Milan Broz wrote:
> Below is very nice example of another "Evil maid" type attacks,
> here directly applied to LUKS CBC disks.
> 
> I think it clearly shows known rule:
> If you let your machine out of your sight, it is no longer your machine.
> 
> What is important (and blog mentions it)
> 
> "It has already been known for a long time that CBC does not prevent
> a malleability attack (targeted manipulation of encrypted data) given
> that the attacker can modify the ciphertext and knows the corresponding
> plaintext as well."

Even more important, in this particular case, is that this "practical
malleability attack" isn't actually very practical at all:

    "In the following I assume that we already have access to the
    original plaintext and the ciphertext of one file on the system and
    that we want to do our manipulations in this file:"

There are a number of other assumptions and variables that must be "just right"
in order for this attack to have even a remote chance of working, e.g.:

    "This code can be executed from a Live CD against the encrypted
    partition of an Ubuntu 12.04 installation. The position of the
    /bin/dash file needs to be adjusted by doing a reference
    installation with the same disk layout on a sufficiently similar
    hardware."

> BTW blog doesn't mention that CBC is no longer default mode for cryptsetup
> and was replaced by XTS mode.

The original post to f-d [0] that you forwarded does mention this:

    "This code can be executed from a Live CD against the encrypted
    partition of an Ubuntu 12.04 installation. The position of the
    /bin/dash file needs to be adjusted by doing a reference
    installation with the same disk layout on a sufficiently similar
    hardware. [...] When choosing to encrypt the system with the Ubuntu
    12.10 installer, the encryption is set up with mode aes-xts-plain64,
    which is not vulnerable to this attack."

It's certainly interesting from a technical perspective but this is
simply not very feasible.

/p

[0]: http://archives.neohapsis.com/archives/fulldisclosure/2013-12/0187.html



More information about the dm-crypt mailing list