[dm-crypt] Re2: Cascading two plain dm-crypt volumes
arno at wagner.name
Fri Nov 29 11:28:15 CET 2013
On Fri, Nov 29, 2013 at 09:56:43 CET, anderson jackson wrote:
> On Fri, 29 Nov 2013 06:17:31 +0100 Arno Wagner <arno at wagner.name> wrote
> > The gist is that breaking aes(k1, aes(k2, data))
> > takes only twice as long as breaking aes(k3, data),
> > i.e. adds one bit of entropy and is meanigless security-wise.
> > If you have less than the maximum entropy in your keys,
> > then doing aes(k1+k2, data) doubles the entropy, i.e.
> > _squares_ the effort needed, up to 2^(number of key bits).
> > So, really, do not do this.
> Thank you for the clarification and the supplied reference. I see now that my
> suggested method is flawed. I will use LUKS instead; I can then combine the
> two passphrases and make use of the key strengthening features instead of
> choosing less security with no header.
> However I am curious, would my suggestion work with two different ciphers? So
> twofish(k1, AES(k2, data)) or twofish(k1, Serpent(k2, data) both still plain?
> Or does the MITM attack still apply in these scenarios.
Yes, it does. But also note:
- This attack requires an extreme amount of memory
- This is a known-plaintext attack, i.e. the attacker needs
to guess one cipher plaintext block correctly.
(Easier done than it sounds, filesystems typically have
blocks that qualify.)
- The attacker needs to be able to brute-force one layer
of each cipher and store the full result of one of the
two in a table.
So practicallity of this attack is low (read: infeasible in
practice for the forseeable future).
It just shows that an attacker that can crack one layer
of a cipher can crack two with about the same computing
effort and a lot of additional memory, i.e. that two cipher
layers give you a lot less _additional_ security than expected.
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult. --Tony Hoare
More information about the dm-crypt