[dm-crypt] Cryptographic issues with SSD-technology and wide-block encryption modes

Arno Wagner arno at wagner.name
Wed Feb 6 14:06:57 CET 2013


On Wed, Feb 06, 2013 at 01:52:40PM +0100, Milan Broz wrote:
> On 02/06/2013 11:32 AM, Arno Wagner wrote:
> 
> > On Wed, Feb 06, 2013 at 11:06:11AM +0100, Stavros Kousidis wrote:
> >> One essential issue that concerns full disk encryption on SSDs, that I
> >> have not seen in a mail discussion here so far (might be there and I
> >> simply missed it), is the distribution of an uncontrollable amount of
> >> copies of SSD-page contents (~4096 Bytes) where only a limited number of
> >> blocks (~16 Bytes) have changed.  This is initiated by local changes in
> >> userspace data and technically due to the complex nature of the flash
> >> translation layer (mainly wear leveling techniques), the narrow-block
> >> encryption modes (here: XTS) and sector-wise constant IVs.  In
> >> Cipher-block chaining mode the position where a bit-flip happened is
> >> visible in principle.
> > 
> > I am aware of that issue. However, XTS mode should lead to a full sector
> > (512 Bytes) chage even if only one bit is changed. That is the whole
> > point of modes like XTS, EME, etc.
> 
> I am afraid this is not true for XTS. blocks inside XTS can be processed
> in parallel (so they cannot depend on each other) so the effect can be

Hmm. You are right, my mistake. I sort-of assumed XTS was not
weaker than CBC for this particular attack without really
checking. One look at the definition makes it very obvious 
though.

> exactly opposite - first bit change in (the same) sector using e.g. CBC
> will change the whole ciphertext sector, while with XTS only first
> encryption block (16 bytes) is changed.
> I tried to show it here http://mbroz.fedorapeople.org/talks/DevConf2012/img6.jpg
> 
> But despite that, XTS is usually better. 

I agree. And attacks were attackers have repeated access to the
ciphertext, but not the plaintext are quite rare anyways. And
even then, usually nothing aignificant is gained. 

> But it would be nice to have
> some not patent encumbered wide mode (no code changes needed, just someone
> have to invent it and add to crypto API :-)

Indeed. 

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell


More information about the dm-crypt mailing list