[dm-crypt] The future of disk encryption with LUKS2
arno at wagner.name
Fri Feb 5 22:09:58 CET 2016
On Fri, Feb 05, 2016 at 20:53:44 CET, Arno Wagner wrote:
> On Fri, Feb 05, 2016 at 17:50:14 CET, Yves-Alexis Perez wrote:
> > On ven., 2016-02-05 at 16:24 +0100, Arno Wagner wrote:
> > > Then why are you asking about integrity protection on a list
> > > dedicated to a block-layer encryption system? That does not make
> > > any sense. If you state things that do not make sense then I
> > > will point that out, because there is a real possibility that
> > > your reasoning process (I am not implying there was none) was
> > > flawed.
> > Because integrity protection *does* make sense on block layer encryption?
> > The fact that you don't have a 1:1 mapping is indeed an issue, and that's
> > why I was asking in the context of the LUKS2 thread (where supposedly new
> > ideas could be thrown), because solving the involved challenges would be
> > useful in the context of dm-crypt. I think. You could store all ICV in a
> > specific place in the block device, or have one block of ICVs every once
> > in a while, or something else. It'd involve some clever calculation
> > indeed but it might be doable.
> > But I can perfectly understand if it's not something which interest
> > developers here, and I can perfectly take “no” as an answer :)
> Well, as they plan to *experiment* with it anyways (and I assume
> "they" will be the dm-crypt people), we will see how viable it is.
> > > > > And second, who says anything abot the "evil maid" changing
> > > > > things in the encrypted container?
> > > >
> > > > I'm not following you here.
> > >
> > > Attacks on hardware, replacement of the disk with something that
> > > attacks the boot process, Firewire, USB, etc. vulnerabilities,
> > > changes in non-encrypted areas, etc.
> > This is about your external disk drive or usb where you put data on it.
> > This is not about boot integrity or something, really.
> I am well aware of that. Have a look at what types of "evil maid"
> attacks are possible today. If somebody competent had access to
> your storage device, chances are they will be able to successfully
> attack the next machine you plug it into. Sure, may be expensive,
> may take hardware modification, but do not think just because it
> is "only" a storage device it is always safe to plug it into a
P.S. Also, I apologize, I think I over-reacted.
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
More information about the dm-crypt