[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Status in 2007 of: loop-aes VS dm-crypt VS truecrypt

To: linux-crypto@xxxxxxxxxxxx
Subject: Re: Status in 2007 of: loop-aes VS dm-crypt VS truecrypt
From: Christian Kujau <lists@xxxxxxxxxxxxxxx>
Date: Wed, 30 May 2007 17:51:04 +0100 (BST)
In-reply-to: <20070528130105.GA5197@tatooine.rebelbase.local>
List-archive: <http://mail.nl.linux.org/linux-crypto/>
List-help: <mailto:ecartis@nl.linux.org?Subject=help>
List-id: <linux-crypto.nl.linux.org>
List-owner: <mailto:ecartis-owner@nl.linux.org>
List-post: <mailto:linux-crypto@nl.linux.org>
List-software: Ecartis version 1.0.0
List-subscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=unsubscribe>
References: <344b9a2f0705271631r7318ab7bl68b60606e1ca69dd@mail.gmail.com> <20070528130105.GA5197@tatooine.rebelbase.local>
Sender: linux-crypto-bounce@xxxxxxxxxxxx

On Mon, 28 May 2007, markus reichelt wrote:

 "Loop-AES is more secure than dm-crypt (and possibly faster),
 although it requires a custom kernel module and is more work to
 install than dm-crypt." => But no justification given regarding
 the security aspect.

in that example they use kernel 2.6.8 (hint hint)

Since no justification regarding the security aspect was given, I don't see how the kernel version would matter at all. Did youd have a certain bug with 2.6.8 in mind? (Debian oldstable is still using 2.6.8).

 http://mail.nl.linux.org/linux-crypto/2006-09/msg00008.html ->
 "Both cryptoloop and dm-crypt in kernels prior to 2.6.10 are
 vulnerable, and even recent dm-crypt still suffers from a weak
 crypto implementation." => I will be using 2.6.20, which allows
 for LRW mode and thus solve the watermark problem. -> "dm-crypt...
 which leaks location of changed data in some unusual situations."

" ... not a big problem." = dont worry about this.

Here the kernel version *does* matter, IOW the watermark attacks have been fixed in 2.6.10 (see "dm-crypt: new IV mode ESSIV" changelog entry). So "not a big problem" should read "not an issue any more since 12/2004", no?

=> What exactly consists this leak and has it been fixed?


This means that loop-aes hides the position of changed ciphertext
better than dm-crypt. A change of one byte in a 512 byte sector will
cause 16 bytes to change in dm-crypt and 512 bytes (the whole sector)
in loop-aes. if an attacker has access to changed ciphertext this
could be a problem.

Hm, "changed ciphertext": but that means that the attacker has already access to the underlying device and can read the encyrpted and *currently changing data". But I think "changing ciphertext" happens only when the device is mounted (so someone unlocked the partition) in which case the attacker would be better off to just read the plaintext.

However, I am not sure what's "better" from the attackers' POV to get the (password to) the key: known (changing) ciphertext or known plaintext. My guess would be "a combination of both"...

But in case an attacker has access to your
ciphertext you already got a bigger problem.

Yes, indeed :)

C.
--
BOFH excuse #197:

I'm sorry a pentium won't do, you need an SGI to connect with us.

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

Follow-Ups:
- Re: Status in 2007 of: loop-aes VS dm-crypt VS truecrypt
  - From: markus reichelt

References:
- Status in 2007 of: loop-aes VS dm-crypt VS truecrypt
  - From: John Smith
- Re: Status in 2007 of: loop-aes VS dm-crypt VS truecrypt
  - From: markus reichelt

Prev by Date: Re: Status in 2007 of: loop-aes VS dm-crypt VS truecrypt
Next by Date: Re: Status in 2007 of: loop-aes VS dm-crypt VS truecrypt
Previous by thread: Re: Status in 2007 of: loop-aes VS dm-crypt VS truecrypt
Next by thread: Re: Status in 2007 of: loop-aes VS dm-crypt VS truecrypt
Index(es):
- Date
- Thread