[dm-crypt] iv generation from third-party code

Arno Wagner arno at wagner.name
Thu May 7 11:29:43 CEST 2015

On Thu, May 07, 2015 at 10:12:42 CEST, Fraser Scott wrote:
> Thanks for taking the time to reply.

No problem.

> I did some playing around in Ruby before getting further help from IRC. I
> was able to decrypt the first 32 bytes in ECB mode using some counter mode
> inspired IV tweaking. The first 16 bytes were decrypted using an IV of 0x0
> and the next 16 bytes were decrypted using the unmodified user supplied IV.
> After that it gets a bit funky, but I believe this matches up with what is
> expected from LRW mode.

In that case, you should probably aim to do the whole decryption 
in Ruby. Will be a lot less effort on the development side, and
who cares if it takes some hours or days to do the full decryption 
once it works. (And disk-encryption can be very easily paralellized on
sector-level in addition.) This way you can do away with all the 
kernel-module and driver stuff and just have to get the crypto right.

As to LRW-Mode, from 
I deduce, that indeed you get X = 0 for the first 16 byte block 
and X = F for the second. From block 2 onwards, you need GF(2^128)
multiplication to get X. However, for the second nlock (index 1),
that should be E_k(Block + X) + X with "+" as addition ing GF(2^128), 
so just using X as the "IV" would not be enough. (Decryption works 
the same, just replace E_k by D_k).

I am not sure what LRW does with sector numbers, it may just 
divide the whole device into 16 byte blocks and count them from 
the start.

The math can be googled with "gf(2^128)".

Easiest way on the coding side would probably be to just make an 
image-file of the drive and work with that and decrypt to a second 
image file. Linux has no problems with files that are a few
fundred GB large.

Just one remark: Your terminology seems to be off, as ECB does not 
have an IV. I suggets using the formula from Wikipedia directly and
to forget about "IV"s.


Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

More information about the dm-crypt mailing list