[dm-crypt] Practical malleability attack agains CBC-Encrypted LUKS partitions

Arno Wagner arno at wagner.name
Mon Dec 23 12:33:25 CET 2013

On Sun, Dec 22, 2013 at 23:06:25 CET, Milan Broz wrote:
> Below is very nice example of another "Evil maid" type attacks,
> here directly applied to LUKS CBC disks.
> I think it clearly shows known rule:
> If you let your machine out of your sight, it is no longer your machine.

Indeed! The attacher could just as well install a Blue Pill into the boot
record and then all is lost anyways.
> What is important (and blog mentions it)
> "It has already been known for a long time that CBC does not prevent
> a malleability attack (targeted manipulation of encrypted data) given
> that the attacker can modify the ciphertext and knows the corresponding
> plaintext as well."

References, e.g. 
[1] "New Methods in Hard Disk Encryption", Clemens Fruhwirth, 2005

> There is no integrity protection in LUKS devices (even cannot be
> for transparent disk encryption because there is no additional space
> to store integrity checksum / authentization tag data).
> Modification (random or malicious) of ciphertext is simply not detectable
> on the LUKS/dmcrypt level.
> BTW blog doesn't mention that CBC is no longer default mode for cryptsetup
> and was replaced by XTS mode.

The blogger recommends using XTS to fix the problem though. Funny. 
I guess if people were doing better research, we would be seeing less
blog postings....

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

More information about the dm-crypt mailing list