[dm-crypt] The future of disk encryption with LUKS2

Arno Wagner arno at wagner.name
Fri Feb 5 22:09:58 CET 2016


On Fri, Feb 05, 2016 at 20:53:44 CET, Arno Wagner wrote:
> On Fri, Feb 05, 2016 at 17:50:14 CET, Yves-Alexis Perez wrote:
> > On ven., 2016-02-05 at 16:24 +0100, Arno Wagner wrote:
> > > Then why are you asking about integrity protection on a list
> > > dedicated to a block-layer encryption system? That does not make
> > > any sense. If you state things that do not make sense then I
> > > will point that out, because there is a real possibility that
> > > your reasoning process (I am not implying there was none) was 
> > > flawed. 
> > 
> 
> > Because integrity protection *does* make sense on block layer encryption?
> > The fact that you don't have a 1:1 mapping is indeed an issue, and that's
> > why I was asking in the context of the LUKS2 thread (where supposedly new
> > ideas could be thrown), because solving the involved challenges would be
> > useful in the context of dm-crypt.  I think.  You could store all ICV in a
> > specific place in the block device, or have one block of ICVs every once
> > in a while, or something else.  It'd involve some clever calculation
> > indeed but it might be doable.
> > 
> > But I can perfectly understand if it's not something which interest
> > developers here, and I can perfectly take “no” as an answer :)
> 
> Well, as they plan to *experiment* with it anyways (and I assume
> "they" will be the dm-crypt people), we will see how viable it is.	
> 
> > > > > And second, who says anything abot the "evil maid" changing
> > > > > things in the encrypted container?
> > > > 
> > > > I'm not following you here.
> > > 
> > > Attacks on hardware, replacement of the disk with something that
> > > attacks the boot process, Firewire, USB, etc. vulnerabilities, 
> > > changes in non-encrypted areas, etc.
> > 
> 
> > This is about your external disk drive or usb where you put data on it.
> > This is not about boot integrity or something, really.
> 
> I am well aware of that. Have a look at what types of "evil maid"
> attacks are possible today. If somebody competent had access to 
> your storage device, chances are they will be able to successfully 
> attack the next machine you plug it into. Sure, may be expensive,
> may take hardware modification, but do not think just because it 
> is "only" a storage device it is always safe to plug it into a 
> computer.
> 
> Regards,
> Arno

P.S. Also, I apologize, I think I over-reacted.

Regards,
Arno

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier


More information about the dm-crypt mailing list