[dm-crypt] security issues with dm-crypt below/above MD or below btrfs/ZFS RAID

Arno Wagner arno at wagner.name
Sat Jun 7 06:16:44 CEST 2014


Hi,

this is really a crypto block-cipher question, and the
question is "what about known-plaintext attacks?". The 
thing is that a cipher where known plaintext/ciphertext  
pairs (not just parity, but the one where you have all 
bits of the plaintext and all bits of ciphertext and 
that possibly  for a large but practical amount of data)
does compromise your key or further encryptions with 
the same key, is considered broken by todays crypto
standards. So, yes, all you cite may make an attack easier,
but for a non-broken block-cipher, it must still be far, 
far out of reach and hence is not an issue. 
 
Or to put it short: Not a concern. Or if it is a concern,
your ciopher is broken you should instead to switch to an 
unbroken cipher.

Arno


On Sat, Jun 07, 2014 at 02:48:32 CEST, Christoph Anton Mitterer wrote:
> Hey.
> 
> Perhaps, the following should go to the FAQ as well...
> 
> I'm using dm-crypt with aes-xts-plain64 and wondered whether it has any
> security implications on whether it is used
> - above MD RAID (i.e. multiple devices, forming a single block device
> via MD/mdadm, on which dm-crypt/LUKS is used)...
> - below MD RAID or e.g. btrfs/ZFS RAID (i.e. multiple devices, each with
> it's own dm-crypt/LUKS, either with the same or different master keys,
> and on top of the opened devices a RAID formed by MD/mdadm or btrfs/ZFS.
> 
> 
> I wondered that because, RAID (and especially that of MD, where the
> layout of blocks is far more deterministic than with btrfs/ZFS RAID)
> always has some fixed (and known) structure...  where it e.g. known
> where blocks and corresponding parity blocks (in RAID5/6 or similar
> levels) ... or at least how adjacent blocks are striped over devices
> (RAID 1, 10 and similar).
> 
> I mean especially with btrfs/ZFS the only choice it to have dm-crypt
> below the RAID... while in a "traditional" MD/dmcrypt/ext4 setup I'd
> usually have placed MD at the lowest level, and dm-crypt just above
> it... with LVM, ext4/xfs/etc. above.
> 
> 
> So are there any known ways to exploit this in crypto analysis,
> especially statistical attacks, that are e.g. only possible if dmcrypt
> is below the RAID (or vice versa)? Or that become possible, if all the
> underlying dm-crypt devices of a RAID would be configured to use the
> same master key?
> 
> Or is this mitigated by XTS? And what about the other block cipher
> modes?
> 
> 
> Cheers,
> Chris.



> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato


More information about the dm-crypt mailing list