Re: [PATCH] Delete cryptoloop

From: Jari Ruusu
Date: Sun Jul 25 2004 - 06:43:33 EST

Next message: Jan Knutar: "Re: New dev model (was [PATCH] delete devfs)"
Previous message: Mikael Pettersson: "Re: 2.4.27-rc3 with gcc-3.4.0 compile error (even with the fix patch)"
In reply to: Bill Davidsen: "Re: [PATCH] Delete cryptoloop"
Next in thread: Fruhwirth Clemens: "Re: [PATCH] Delete cryptoloop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Fruhwirth Clemens wrote:
> Second, modern ciphers like Twofish || AES are designed to resist
> known-plaintext attacks. This is basically the FUD spread by Jari Rusuu.

Ciphers are good, but both cryptoloop and dm-crypt use ciphers in insecure
and exploitable way.

This is not FUD. Fruhwirth, did you even try run the exploit code?

http://marc.theaimsgroup.com/?l=linux-kernel&m=107719798631935&w=2

> But, due to a recent discussion on sci.crypt, I have been convinced that
> there is in fact a security gain by obscuring the IV. To be precise, if
> an attacker is able to find two identical cipher blocks on disk, he will
> be able to deduce the plain text difference. The chance p that two
> blocks are equal is p=1/2^128 for 128 bit block ciphers. If one of these
> blocks happens to be zero this is quite bad. The chance that there are
> no identical cipher blocks on a disk is given by p^(n(n-1)/2) with n =
> numbers of sectors on disk. Anyone with a little bit math intuition can
> see this terms will approach 0 quite quick. So it is likely that some
> information is revealed.

Exploit exists that generates watermark patterns that can be detected, and
can be detected _very_ reliably.

> This situation will not be cured by switching to dm-crypt, since
> dm-crypt suffers from the same kind of problem. Although personally, I
> neglect this security threat.

Then you should not be writing crypto code.

> - There is no suitable user space tool ready to use it. util-linux has
> been broken ever since. My patch key-trunc-fix patch has to be applied
> to make any use of losetup.

Can you name implementation that your "key-truncated" version is compatible
with that existed _before_ your version appeared?. To my knowledge, that
key-truncated version is only compatible with itself, and there is no other
version that does the same.

--
Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jan Knutar: "Re: New dev model (was [PATCH] delete devfs)"
Previous message: Mikael Pettersson: "Re: 2.4.27-rc3 with gcc-3.4.0 compile error (even with the fix patch)"
In reply to: Bill Davidsen: "Re: [PATCH] Delete cryptoloop"
Next in thread: Fruhwirth Clemens: "Re: [PATCH] Delete cryptoloop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]