[dm-crypt] Cryptographic issues with SSD-technology and wide-block encryption modes

Matthias Schniedermeyer ms at citd.de
Wed Feb 6 12:07:13 CET 2013


On 06.02.2013 11:06, Stavros Kousidis wrote:
> 
> One essential issue that concerns full disk encryption on SSDs, that I 
> have not seen in a mail discussion here so far (might be there and I 
> simply missed it), is the distribution of an uncontrollable amount of 
> copies of SSD-page contents (~4096 Bytes) where only a limited number 
> of blocks (~16 Bytes) have changed. This is initiated by local changes 
> in userspace data and technically due to the complex nature of the 
> flash translation layer (mainly wear leveling techniques), the 
> narrow-block encryption modes (here: XTS) and sector-wise constant 
> IVs. In Cipher-block chaining mode the position where a bit-flip 
> happened is visible in principle.

Let me paraphrase, you are worried about someone physically ripping the 
SSD out of your computer, desoldering the chips and reverse engeneering 
the wear-leveling. In the off-change that there actually are several 
generations of a somehow vulnerable block (or several) and the changes 
would tell the attacker "something".

With the slight variatians:
a) Somone with root-priviles making full-copies of the device at 
different points in time
b) Somone with root-priviledes and the SSD containing some vendor 
specific commands to read the RAW contents of the flash and/or 
possibility to get older versions of blocks (at different points in 
time)
c) Taking the SSD out and making full copies at different points in 
time.
d) c in variant b
e) Things that don't come to my mind



In short:
I would worry about these things, before i worry about POTENTIAL 
information leakage of several generations of a specific block.
In all cases you already need a vulnerability to even get to the 
information.

I don't say the theoretical vulnerability doesn't exist, but there are 
things much more serious before worrying about such theoretical things.
Among the first i would worry about: The so called "cold-boot attack".
At least for cases were you worry about someone with physical access.

I would call this is a typical case for the: "Law Of Diminishing 
Returns"
There is a gain, but the amount of work is disproportional.



-- 

Matthias


More information about the dm-crypt mailing list