Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

Re: [dm-crypt] LRW has more data modification leakage than CBC?

To: "<dm-crypt@xxxxxxxx>" <dm-crypt@xxxxxxxx>, SISWG <stds-p1619@xxxxxxxx>
Subject: Re: [dm-crypt] LRW has more data modification leakage than CBC?
From: James Hughes <James_Hughes@xxxxxxxxxxxxxx>
Date: Sat, 25 Dec 2004 12:30:40 -0500
Cc: James Hughes <James_Hughes@xxxxxxxxxxxxxx>
In-Reply-To: <200412251545.iBPFj3I06265@adam.yggdrasil.com>
References: <200412251545.iBPFj3I06265@adam.yggdrasil.com>
Sender: owner-stds-p1619@xxxxxxxx

This is correct. Using this "data modification leak" terminology, LRW
has more, CBC less and EME none.

EME and ABL encrypts the entire sector as a single permutation. Any bit
changed anywhere, the entire sector is changed. CBC leaks the point at
which the change starts.

So, instead of going to CBC with it's problems, I would suggest EME or
ABL.

Thanks

jim


On Dec 25, 2004, at 10:45 AM, Adam J. Richter wrote:

>         I just finished reading Fruhrwirth Clemens's web page on
>  Linux hard disk encryption settings, which is basically the
> first that I had heard of LRW, so I apologize if I'm missing
>  some obvios point.
>
>         Regarding the "data modification leak" described in
>  Fruhrwirth's page, it seems to me that LRW will leak
>  more information about data content changes than CBC,
>  since there is no chaining whatsoever in LRW.
>
>         Under CBC, an adversary with access to snapshots of an
>  encrypted disk image can tell which encryption block within a
>  sector is the point at which modification began, but cannot tell
>  how many bytes after that point were modified.  For example,
> if a sector was modified starting in the middle, it is
>  impossible for an adversary to tell whether only one byte was
>  modified in the middle, or if the every byte in the second half of
>  the sector had been modified.
>
>         Under LRW, however, an adversary can see exactly
>  which encryption blocks were modified and which ones were
>  not.  So, for example, an adversary looking at snapshots
>  of an LRW-encryptioned disk that is known to be a standard
>  ext3 file system should be able to tell exactly which inodes
>  have modified inode information.  I think that that additional
>  resolution in the information leakage may be of some practical
>  consequence in the scenarios to which the "data modification leak"
>  issue would be relevant.
>
>         Am I misunderstanding something?
>
>         I do not mean to say that LRW is worthless.  I think
>  the watermark attack that LRW avoids is more realistic
>  problem than the "data modification leak", but I think that for
>  my own use I'd probably prefer to trade a bit more CPU cost on
>  my system given some other scheme that had the security of LRW
>  without that resolution of data modification leakage.
>
>                     __     ______________
> Adam J. Richter        \ /
>  adam@yggdrasil.com      | g g d r a s i l
>
> ---------------------------------------------------------------------
> dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
>  To unsubscribe, e-mail: dm-crypt-unsubscribe@saout.de
> For additional commands, e-mail: dm-crypt-help@saout.de

Prev by Date: RE: [dm-crypt] LRW has more data modification leakage than CBC?
Next by Date: LRW-AES document
Prev by thread: Re: Next P1619 Meeting
Next by thread: RE: [dm-crypt] LRW has more data modification leakage than CBC?
Index(es):
- Date
- Thread