Re: dm-crypt and gpg

[Boyd Waters <bwaters+mac@xxxxxxxxxxxx>]

On Jul 15, 2004, at 7:28 PM, Andrew Johnson wrote:

> Hi All,
>
> I've been reading a lot of information regarding dm-crypt and 
> crytoloop vulnerability to known-plaintext and watermark attacks.  I 
> was wondering if the following dm-crypt setup method would solve the 
> known-plaintext attack:
>
> 1. Encryption key generation and encryption using GPG:
>
> head -c 32 /dev/urandom > secure.key
> gpg -c --cipher-algo AES256 secure.key
>
> 2. Secure volume creation using dm-crypt:
>
> /usr/bin/gpg -q --cipher-algo AES256 --decrypt secure.key.gpg | \
> 	/usr/local/bin/cryptsetup create secure_dev /dev/hdaX


This sort of password set-up is exactly what I proposed in my disk 
encryption write-up for Gentoo users ( 
http://www.sdc.org/~leila/usb-dongle/ ).

I think that a random password is a good idea in any event, and 
probably protects from one of the attacks mentioned recently.

I do NOT yet have a firm grasp of the issue, but:

But probably would NOT protect against watermark (which is 
chosen-plaintext attack). Problem there is the treatment of the 
per-sector password for the block encryption: loop-AES runs through a 
number of iterations, dm-crypt and cryptoloop do not.

I started to become concerned with the cryptoloop implementation 
earlier this week when I was looking at how OpenBSD and FreeBSD do disk 
encryption -- they take some pains to obfuscate the "sector-ID-ness" of 
the block encryption. (GBDE of FreeBSD seems that it would be 
particularly strong against watermark attack.)

Bottom line is that dm-crypt is better with the pure-random password 
that you propose, but probably still not the best implementation 
available. But I am clueless, really. I do hope that we get more 
comments on this!


~ boyd

Boyd Waters
National Radio Astronomy Observatory
Socorro, New Mexico
http://www.aoc.nrao.edu/~bwaters


-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/