[dm-crypt] Cryptographic issues with SSD-technology and wide-block encryption modes

Arno Wagner arno at wagner.name
Wed Feb 6 13:45:33 CET 2013

On Wed, Feb 06, 2013 at 12:07:13PM +0100, Matthias Schniedermeyer wrote:
> On 06.02.2013 11:06, Stavros Kousidis wrote:
> > 
> > One essential issue that concerns full disk encryption on SSDs, that I 
> > have not seen in a mail discussion here so far (might be there and I 
> > simply missed it), is the distribution of an uncontrollable amount of 
> > copies of SSD-page contents (~4096 Bytes) where only a limited number 
> > of blocks (~16 Bytes) have changed. This is initiated by local changes 
> > in userspace data and technically due to the complex nature of the 
> > flash translation layer (mainly wear leveling techniques), the 
> > narrow-block encryption modes (here: XTS) and sector-wise constant 
> > IVs. In Cipher-block chaining mode the position where a bit-flip 
> > happened is visible in principle.
> Let me paraphrase, you are worried about someone physically ripping the 
> SSD out of your computer, desoldering the chips and reverse engeneering 
> the wear-leveling. In the off-change that there actually are several 
> generations of a somehow vulnerable block (or several) and the changes 
> would tell the attacker "something".
> With the slight variatians:
> a) Somone with root-priviles making full-copies of the device at 
> different points in time
> b) Somone with root-priviledes and the SSD containing some vendor 
> specific commands to read the RAW contents of the flash and/or 
> possibility to get older versions of blocks (at different points in 
> time)
> c) Taking the SSD out and making full copies at different points in 
> time.
> d) c in variant b
> e) Things that don't come to my mind

Nice list! ;-)

Here is one more: 
f) Chain-reallocation of a sector in a HDD because of some externel 
   issue like vibration. With the difference that the old copies 
   live forever.
> In short:
> I would worry about these things, before i worry about POTENTIAL 
> information leakage of several generations of a specific block.
> In all cases you already need a vulnerability to even get to the 
> information.
> I don't say the theoretical vulnerability doesn't exist, but there are 
> things much more serious before worrying about such theoretical things.

Actually, I think it is a bit different: These vulnerabilities
are practical, but do not apply in almost all situations. That
means the right way to deal with them is to document them but
tell the very few people that would have a problem to just 
not use this system. It certainly does not justify massive
changes to a system that works well.

> Among the first i would worry about: The so called "cold-boot attack".
> At least for cases were you worry about someone with physical access.
> I would call this is a typical case for the: "Law Of Diminishing 
> Returns"
> There is a gain, but the amount of work is disproportional.


Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell

More information about the dm-crypt mailing list