[dm-crypt] inner workings of block mode encryption

Arno Wagner arno at wagner.name
Mon Feb 9 02:53:03 CET 2015


On Sun, Feb 08, 2015 at 17:31:49 CET, U.Mutlu wrote:
> Ralf Ramsauer wrote, On 02/08/2015 03:22 PM:
[...]
> Hmm. IMO this is the major weak point of such static/symmetric crypto
> solutions.  Knowing just one cleartext file, for example a well known
> static system file from the /etc directory, and its encrpted data, could
> easily lead to the master key (assuming the encrypted volume contains such
> system files).

With modern block-ciphers there is no "easily" here. In fact there 
is "infeasible" here as you basically always can get some ciphertext/
plaintext pairs also in communication encryption and it does not
even need to be a "chosen plaintext" attack. Ciphers vulnerable to
that are worthless.

Really, you need to read up on what modern ciphers do. You also
need to read up on the terminology. Getting the meaning of 
"symmetric" and "asymmetric" wrong is a pretty bad mistake.
Not that I accuse you of anything, it is just that communication
gets hard if one side does not understand the basics.
 
> OTOH, a streaming crypto solution (I think also called 'asymmetric'),
> ie. where each block gets encrypted with a new key derived from
> the previous/initial key together with xoring with varying parts
> of the user data in the block, would IMO make up a much more secure
> crypto solution.

That is infeasible for block-layer encryption and very expensive for
file-level encryption. Hence nobody does it on system layer. You may
be thinkling of things like CBC-mode communication encryption. Block-
device storage is not a communication device, it works differently.
For character-device storage where you do never seek you could do 
this, but you donot get a file-system on these, just a raw 
bit-stream.
 
> >Just imagine: if you'd like to access the last sector of your volume
> >you'd have to generate the whole key stream which would probably take a
> >long time.
> 
> Yes, true, but I think this problem could be somehow solved.

You think wrong. This problem has been studied for at least
two decades and nobody found a solution for it. In fact, it
can very likely be formally proven that this problem cannot
be solved and keep the security guarantees intact.

Gr"usse,
Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier


More information about the dm-crypt mailing list