Re: [PATCH] Delete cryptoloop

From: Christophe Saout
Date: Thu Jul 29 2004 - 11:39:31 EST


Am Mittwoch, den 28.07.2004, 20:27 -0400 schrieb James Morris:

> > James Morris wrote:
> > >It would be good if we could get some further review on the issue by an
> > >independent, well known cryptographer.
> >
> > I'd be glad to review it if someone can point me to a clear, concise
> > description of the scheme (trying to extract the spec from the code
> > is too much work for me).
>
> That would be great. It would be best to do this review for dm-crypt.
>
> Christophe, is there a detailed description of the existing scheme?

I can explain it here, it's pretty simple:

IV = sector number (little endian, 32 bits), pad with zeroes

The actual content is then encoded using the selected cipher and key in
CBC mode.

For those who don't know what exactly that means:

C[0] = E(IV xor P[0])
C[1] = E(C[0] xor P[1])
...
C[n] = E(C[n-1] xor P[n])

C is the encrypted data, P the plaintext data. The block size is given
by the cipher (usually 128 bit or something like that). E is the
encryption using cipher and key.

This is done for every sector.

The weakness is that the IV is known. You can write specially crafted
blocks on the disk and have a known plaintext for the first block.

Also see: http://clemens.endorphin.org/OnTheProblemsOfCryptoloop

One simple way to avoid this would be to compute the IV in a different
way, something based on key and sector number.

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil