[dm-crypt] Fwd: Practical malleability attack against CBC-Encrypted LUKS partitions

Milan Broz gmazyland at gmail.com
Mon Dec 23 08:56:29 CET 2013

On 12/23/2013 12:07 AM, /dev/ph0b0s wrote:
> On 12/22, Milan Broz wrote:
>> Below is very nice example of another "Evil maid" type attacks,
>> here directly applied to LUKS CBC disks.
>> I think it clearly shows known rule:
>> If you let your machine out of your sight, it is no longer your machine.
>> What is important (and blog mentions it)
>> "It has already been known for a long time that CBC does not prevent
>> a malleability attack (targeted manipulation of encrypted data) given
>> that the attacker can modify the ciphertext and knows the corresponding
>> plaintext as well."
> Even more important, in this particular case, is that this "practical
> malleability attack" isn't actually very practical at all:
>     "In the following I assume that we already have access to the
>     original plaintext and the ciphertext of one file on the system and
>     that we want to do our manipulations in this file:"

Sure. On the other side, if you have "golden image" and all your
company laptops are encrypted using the same plaintext in the beginning,
this could be possible.

Anyway, I do not think this attack is anything new - it is just real
application of known facts on the one specific case.
But it is worth to mention here.

>> BTW blog doesn't mention that CBC is no longer default mode for cryptsetup
>> and was replaced by XTS mode.
> The original post to f-d [0] that you forwarded does mention this:

I meant this part:

"When manually creating LUKS partitions, you should make sure to use XTS
instead of CBC (which is still the default when running cryptsetup
luksFormat without a cipher specification):"

It is not default since 1.6.0 upstream version (and it was configurable
even before for distro maintainers).


More information about the dm-crypt mailing list