[dm-crypt] Cascading two plain dm-crypt volumes

Arno Wagner arno at wagner.name
Fri Nov 29 06:06:05 CET 2013

On Fri, Nov 29, 2013 at 02:31:19 CET, anderson jackson wrote:
> On Fri, 29 Nov 2013 02:03:53 +0100 Arno Wagner <arno at wagner.name> wrote
> > On Fri, Nov 29, 2013 at 01:49:57 CET, anderson jackson wrote:
> > > On Fri, 29 Nov 2013 01:32:51 +0100 Arno Wagner <arno at wagner.name> wrote
> > > 
> > > > If I understood this right, it is plain(luks(data))
> > > 
> > > No actually I meant plain(plain(data)). Therefore you won't see the luks
> > > header when the attacker finds the correct pass but just random data.
> > > 
> > 
> > That is not really more secure than just plain with the two 
> > passphrases concatenated (as long as the entropy does not
> > exceed the key length). No reason to do this, except if you 
> > mistrust the ciphers and want to use two different ones.
> My knowledge about the subject is only skin deep. However I feel as if I
> am missing something and in addition to that I must have explained myself
> poorly.  What I was suggesting is cascading two identical ciphers (both
> AES) in plain mode with two independent passphrases one for the first
> plain block device and another for the second one.
> /dev/sdx = random data
> /dev/mapper/cascade1 = random data
> /dev/mapper/cascade2 = file system

Ah, I see. I misread that one, as this approach has zero benefits.

> Let’s say an attacker is using brute force to find the passphrase and
> let’s say the tries he has performed includes the first passphrase.  When
> that passphrase was tried the decrypted result would have been random data
> just as if it were a wrong passphrase.  The attacker has no way of knowing
> that there is a cascade since there is no header or other identifiable
> markers.  So even when he finds the correct passphrase it would appear to
> be a failed attempt because he only gets random data.  He would have to
> try to brute force the passphrase for the second plain block device for
> each of the used phrases of the first block device.

That is not how it works, unfortunately. While your idea is
somewhat intuitive, there is no way to brute-force even 
a 128 bit AES key. Hence such an attacker must know some
weakness in the cipher. But the thing is that possibly
there is a key k3 so that

   aes(k1, aes(k2, data)) = aes(k3, data)

and hence layering the same cipher may completely worthless.
AFAIK this type of approach was abandoned quite a while ago
in the research community.

Just use a single AES layer and pump up the passphrase entropy
by doing 

   aes(k1+k2, data)

which is massively more secure unless k1, k2 have entropy in 
the size of the key-length.

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

More information about the dm-crypt mailing list