[dm-crypt] inner workings of block mode encryption

Arno Wagner arno at wagner.name
Mon Feb 9 03:14:21 CET 2015


On Sun, Feb 08, 2015 at 22:34:22 CET, Ralf Ramsauer wrote:
> Hi
> 
> On 02/08/2015 06:42 PM, Heinz Diehl wrote:
> >> Knowing just one cleartext file, for example a well known static
> >> > system file from the /etc directory, and its encrpted data, could
> >> > easily lead to the master key (assuming the encrypted volume
> >> > contains such system files).
> > Neither AES, serpent nor twofish are prone to known-plaintext attacks.
> > Breaking some rounds is not the same as breaking the cipher.
> >
> I absolutely agree, Heinz.
> 
> Only the knowledge of a plain text block an the corresponding cipher
> text block is NOT sufficient to "guess" or derive the key.
> This is one of the major design criteria of symmetric block ciphers.
> 
> When I did my first steps in cryptography I also naively thought that
> knowing a cipher text and a corresponsing plain text automatically
> offers the possibility to derive the key but this is absolutely not the
> truth.

And information-theoretically it does. It is just computational
effort that stands in between and computationel effort is tricky,
but also very real in this universe.

> And the use of the same key throughout your volume is NOT a vulnerability.

It is not. What is a vulnerablility is that the same key is used
for multiple writes to the same sector. It does not allow decryption,
but it does allow seeing whether a sector has changed if the attacker
can access the volume several times. 

This is also unavoidable when block sizes are mapped 1:1, metadata is 
of fixed size, and performance needs to be not too badly impacted. 
Hence it is accepted as a known limitation. 

Crypto is not perfect. Most crypto has known limitations and
vulnerabilities. The trick is to use the right method in the
right situation so that an attacker does not gain anything 
substantial. Hence crypto security is always with respect to
an attacker model (or equivalently, a set of attacker 
capabilities).

In addition, an attacker that can access a computer 2 or more times 
with the user unlocking the encrypted storage in between is generally 
assumed to have won in disk encryption, as this attacker can 
compromise the boot proccess. 
 
> If you're of another opinion please show me references.
> 
> I recommend you to read the following links:
> http://git.dyne.org/tomb/plain/doc/New_methods_in_HD_encryption.pdf
> http://en.wikipedia.org/wiki/Watermarking_attack
> http://en.wikipedia.org/wiki/Disk_encryption_theory
> http://cacr.uwaterloo.ca/hac/ <- great book, online available for free

I second that. In particular the thesis by Clemens is excellent.

It is not that we think you have no clue and should go away, it 
is that it is very hard talking to you when we have to clear up 
beginners mistakes all the time. Crypto is hard and complicated, 
some knowledge is required to even ask questions well.

Gr"usse,
Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier


More information about the dm-crypt mailing list