[dm-crypt] Cryptographic issues with SSD-technology and wide-block encryption modes
ms at citd.de
Wed Feb 6 12:07:13 CET 2013
On 06.02.2013 11:06, Stavros Kousidis wrote:
> One essential issue that concerns full disk encryption on SSDs, that I
> have not seen in a mail discussion here so far (might be there and I
> simply missed it), is the distribution of an uncontrollable amount of
> copies of SSD-page contents (~4096 Bytes) where only a limited number
> of blocks (~16 Bytes) have changed. This is initiated by local changes
> in userspace data and technically due to the complex nature of the
> flash translation layer (mainly wear leveling techniques), the
> narrow-block encryption modes (here: XTS) and sector-wise constant
> IVs. In Cipher-block chaining mode the position where a bit-flip
> happened is visible in principle.
Let me paraphrase, you are worried about someone physically ripping the
SSD out of your computer, desoldering the chips and reverse engeneering
the wear-leveling. In the off-change that there actually are several
generations of a somehow vulnerable block (or several) and the changes
would tell the attacker "something".
With the slight variatians:
a) Somone with root-priviles making full-copies of the device at
different points in time
b) Somone with root-priviledes and the SSD containing some vendor
specific commands to read the RAW contents of the flash and/or
possibility to get older versions of blocks (at different points in
c) Taking the SSD out and making full copies at different points in
d) c in variant b
e) Things that don't come to my mind
I would worry about these things, before i worry about POTENTIAL
information leakage of several generations of a specific block.
In all cases you already need a vulnerability to even get to the
I don't say the theoretical vulnerability doesn't exist, but there are
things much more serious before worrying about such theoretical things.
Among the first i would worry about: The so called "cold-boot attack".
At least for cases were you worry about someone with physical access.
I would call this is a typical case for the: "Law Of Diminishing
There is a gain, but the amount of work is disproportional.
More information about the dm-crypt