[dm-crypt] inner workings of block mode encryption
arno at wagner.name
Mon Feb 9 03:14:21 CET 2015
On Sun, Feb 08, 2015 at 22:34:22 CET, Ralf Ramsauer wrote:
> On 02/08/2015 06:42 PM, Heinz Diehl wrote:
> >> Knowing just one cleartext file, for example a well known static
> >> > system file from the /etc directory, and its encrpted data, could
> >> > easily lead to the master key (assuming the encrypted volume
> >> > contains such system files).
> > Neither AES, serpent nor twofish are prone to known-plaintext attacks.
> > Breaking some rounds is not the same as breaking the cipher.
> I absolutely agree, Heinz.
> Only the knowledge of a plain text block an the corresponding cipher
> text block is NOT sufficient to "guess" or derive the key.
> This is one of the major design criteria of symmetric block ciphers.
> When I did my first steps in cryptography I also naively thought that
> knowing a cipher text and a corresponsing plain text automatically
> offers the possibility to derive the key but this is absolutely not the
And information-theoretically it does. It is just computational
effort that stands in between and computationel effort is tricky,
but also very real in this universe.
> And the use of the same key throughout your volume is NOT a vulnerability.
It is not. What is a vulnerablility is that the same key is used
for multiple writes to the same sector. It does not allow decryption,
but it does allow seeing whether a sector has changed if the attacker
can access the volume several times.
This is also unavoidable when block sizes are mapped 1:1, metadata is
of fixed size, and performance needs to be not too badly impacted.
Hence it is accepted as a known limitation.
Crypto is not perfect. Most crypto has known limitations and
vulnerabilities. The trick is to use the right method in the
right situation so that an attacker does not gain anything
substantial. Hence crypto security is always with respect to
an attacker model (or equivalently, a set of attacker
In addition, an attacker that can access a computer 2 or more times
with the user unlocking the encrypted storage in between is generally
assumed to have won in disk encryption, as this attacker can
compromise the boot proccess.
> If you're of another opinion please show me references.
> I recommend you to read the following links:
> http://cacr.uwaterloo.ca/hac/ <- great book, online available for free
I second that. In particular the thesis by Clemens is excellent.
It is not that we think you have no clue and should go away, it
is that it is very hard talking to you when we have to clear up
beginners mistakes all the time. Crypto is hard and complicated,
some knowledge is required to even ask questions well.
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
More information about the dm-crypt