| 1 |
Alexander Skwar wrote: |
| 2 |
|
| 3 |
>Pupeno schrieb: |
| 4 |
> |
| 5 |
> |
| 6 |
>>On Wednesday 27 July 2005 20:54, Luigi Pinna wrote: |
| 7 |
>> |
| 8 |
>> |
| 9 |
> |
| 10 |
> |
| 11 |
> |
| 12 |
>>>I use the dm-crypt from the kernel.... |
| 13 |
>>> |
| 14 |
>>> |
| 15 |
>>I've read that it is unsecure |
| 16 |
>> |
| 17 |
>> |
| 18 |
> |
| 19 |
>Where? And how is it insecure? |
| 20 |
> |
| 21 |
> |
| 22 |
|
| 23 |
Some history: |
| 24 |
|
| 25 |
The original crypto-loop from 2.4 is very susceptible to watermark |
| 26 |
attacks, where the attacker can write known data to the disk, and look |
| 27 |
at the encrypted results, and then calculate the key from the two. |
| 28 |
Actually, the attacker doesn't even need to write data to the disk if he |
| 29 |
can make a good guess at what a particular block already contains, such |
| 30 |
as with filesystem superblocks. |
| 31 |
|
| 32 |
Dm-crypt has some protection against this by using the sector number of |
| 33 |
the disk as a IV (initial vector) for the hash. This makes the attack |
| 34 |
more difficult, but not impossible, because the sector number is very |
| 35 |
predictable. |
| 36 |
|
| 37 |
loop-AES can provide much more secure protection against watermark |
| 38 |
attacks in 'multi-key mode' by using a set of 64 keys that are rotated |
| 39 |
for the encryption. So an attacker must crack 64 keys, instead of just 1. |
| 40 |
|
| 41 |
So dm-crypt today provides the same level of security as loop-AES in |
| 42 |
single key mode, which as I already stated in a previous email, should |
| 43 |
be sufficient for most people. However, you did ask how it was |
| 44 |
insecure! :-) |
| 45 |
|
| 46 |
-Richard |
| 47 |
|
| 48 |
-- |
| 49 |
gentoo-user@g.o mailing list |
Archives