Re: [PATCH] Delete cryptoloop

From: Matt Mackall (mpm_at_selenic.com)
Date: 07/31/04

Next message: Randy.Dunlap: "Re: uid of user who mounts"

Previous message: Steve French: "uid of user who mounts"
In reply to: David Wagner: "Re: [PATCH] Delete cryptoloop"
Next in thread: Marc Ballarin: "Re: [PATCH] Delete cryptoloop"
Reply: Marc Ballarin: "Re: [PATCH] Delete cryptoloop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date:	Fri, 30 Jul 2004 21:05:34 -0500
To: David Wagner <daw@cs.berkeley.edu>

On Fri, Jul 30, 2004 at 05:44:24PM -0700, David Wagner wrote:
> > But we identified more problems (I don't if these are all real issues).
> > Assuming the attacker has access to both plaintext and the encrypted
> > disk. (shared storage, user account on the machine or something)
> [...]
>
> Yes, there are a host of potential attacks in this scenario. That's why I
> wrote that, if you find yourself in this threat model, it would be prudent
> to assume that the current disk encryption scheme can potentially be
> defeated. Does anyone care about these threat models? From the design,
> I had assumed that no one cared, but if they are relevant in practice,
> then it might make sense to investigate additional defenses.

Here's a probable scenario: encrypted mail spool in maildir format.
Attacker can send mail of his choosing and then later capture the
machine with the hope of breaking in.

Ideally, we'd ship a requirements and specification document that
describes the security trade-offs of cryptoloop/dm-crypt in some
detail. There are way too many unstated assumptions here.

-- 
Mathematics is the supreme nostalgia of our time.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Next message: Randy.Dunlap: "Re: uid of user who mounts"

Previous message: Steve French: "uid of user who mounts"
In reply to: David Wagner: "Re: [PATCH] Delete cryptoloop"
Next in thread: Marc Ballarin: "Re: [PATCH] Delete cryptoloop"
Reply: Marc Ballarin: "Re: [PATCH] Delete cryptoloop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Re: How good an encryption algorithm is this?
... in the scenario I described. ... which the attacker gets her hands on that data. ... It's the fact that your algorithm makes it fairly easy to deduce the key ... And don't forget that you started by asking "How good an encryption ...
(microsoft.public.vc.language)
Re: How good an encryption algorithm is this?
... in the scenario I described. ... which the attacker gets her hands on that data. ... It's the fact that your algorithm makes it fairly easy to deduce the key ... And don't forget that you started by asking "How good an encryption ...
(microsoft.public.dotnet.languages.csharp)
Re: MACs + Encryption + same Key
... HMAC with MD5 using K, ... encryption key. ... So, the scenario permits ... the attacker to corrupt the ciphertext in order to pass the integrity check. ...
(sci.crypt)
Vulnerability in encrypted loop device for linux
... An attacker is able to modify the content of the encrypted device ... considered a aim of the encryption mode, so most modes (e.g. ECB, CFB, ... As we need to authenticate the device across mounts and not while it is ... It slows down mount operations but they are ...
(Bugtraq)
[UNIX] Vulnerability in Encrypted Loop Device for Linux
... Encrypting a disk device aims to protect against an off-line attacker who ... The encryption mode used by encrypted loop device is CBC. ... We propose 2 types of fixes: one that authenticate at mount time (see ...
(Securiteam)