P1619: how serious is the leak of K2?
We have seen that there is a possibility in real-life systems that K2
accidentally lands on the encrypted disk drive, and so exposed to an
eavesdropper. An attacker can increase the chance of this to happen to
dangerous levels. The question is: how serious is the leak of K2?
It allows attacker A to create any plaintext P in any location i on disk,
which means the worst malleability possible, like with ECB mode. (Secrets
are not necessarily revealed.)
We assume the following:
(a) A can make user U to store a prefabricated single block of data Q to a
chosen location j.
(b) later A can read the ciphertext Cj
(c) A can write a new ciphertext in place of Ci.
The critical step is (a). Q is 16 bytes of personalized data, so no virus
checker complains. It is going to be stored in a place, where it never gets
executed, so this attack is less suspicious than planting malware.
By inspecting an encrypted drive several times, the attacker can find where
temporary internet files are going to be stored following the last
inspection (so A lures U to a website, where an embedded picture ends up as
a temporary internet file). The area of the swap- and hibernation data is
also easy to find (so a special picture in memory can be swapped out). For
a new file, Windows chooses the beginning of the unused disk space, easily
identified by the location of recent changes on disk (so A persuades U to
save a link, a document or some other not executable "safe" file).
The attack is easy: Q = P ^ jK2 ^ iK2 is written to location j, so
Cj = jK2 ^ K1(P^jK2^iK2 ^ jK2) = jK2 ^ K1(P ^ iK2)
A writes in place of Ci the data
Cj ^ jK2 ^ iK2 = iK2 ^ K1(P ^ iK2), which will decrypt to P.