[dm-crypt] Cryptographic issues with SSD-technology and wide-block encryption modes

Arno Wagner arno at wagner.name
Wed Feb 6 14:06:57 CET 2013

On Wed, Feb 06, 2013 at 01:52:40PM +0100, Milan Broz wrote:
> On 02/06/2013 11:32 AM, Arno Wagner wrote:
> > On Wed, Feb 06, 2013 at 11:06:11AM +0100, Stavros Kousidis wrote:
> >> One essential issue that concerns full disk encryption on SSDs, that I
> >> have not seen in a mail discussion here so far (might be there and I
> >> simply missed it), is the distribution of an uncontrollable amount of
> >> copies of SSD-page contents (~4096 Bytes) where only a limited number of
> >> blocks (~16 Bytes) have changed.  This is initiated by local changes in
> >> userspace data and technically due to the complex nature of the flash
> >> translation layer (mainly wear leveling techniques), the narrow-block
> >> encryption modes (here: XTS) and sector-wise constant IVs.  In
> >> Cipher-block chaining mode the position where a bit-flip happened is
> >> visible in principle.
> > 
> > I am aware of that issue. However, XTS mode should lead to a full sector
> > (512 Bytes) chage even if only one bit is changed. That is the whole
> > point of modes like XTS, EME, etc.
> I am afraid this is not true for XTS. blocks inside XTS can be processed
> in parallel (so they cannot depend on each other) so the effect can be

Hmm. You are right, my mistake. I sort-of assumed XTS was not
weaker than CBC for this particular attack without really
checking. One look at the definition makes it very obvious 

> exactly opposite - first bit change in (the same) sector using e.g. CBC
> will change the whole ciphertext sector, while with XTS only first
> encryption block (16 bytes) is changed.
> I tried to show it here http://mbroz.fedorapeople.org/talks/DevConf2012/img6.jpg
> But despite that, XTS is usually better. 

I agree. And attacks were attackers have repeated access to the
ciphertext, but not the plaintext are quite rare anyways. And
even then, usually nothing aignificant is gained. 

> But it would be nice to have
> some not patent encumbered wide mode (no code changes needed, just someone
> have to invent it and add to crypto API :-)


Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell

More information about the dm-crypt mailing list