Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [STDS-P1619] Does XTS provide protection against watermarking?.

As Matt pointed out, having a predictable IV is a bit of a contradiction. When you say that you’re using an IV, that means that the bit string that you’re using has particular properties, and being predictable isn’t one of them. So saying that you have a predictable IV is just like saying P AND NOT P, from which you can prove anything at all.

 

On the other hand, using a non-random IV is apparently so common that it has its own CVE assigned to it: http://cwe.mitre.org/data/definitions/329.html.

 

From: Matt Ball [mailto:matthew.v.ball@xxxxxxxxx]
Sent: Tuesday, July 28, 2009 10:13 AM
To: STDS-P1619@xxxxxxxxxxxxxxxxx
Subject: Re: [STDS-P1619] Does XTS provide protection against watermarking?.

 

On Tue, Jul 28, 2009 at 10:42 AM, Garry Mccracken wrote:

Hi, does XTS provide protection against watermarking
(http://en.wikipedia.org/wiki/Watermarking_attack )?

http://en.wikipedia.org/wiki/Disk_encryption_theory
 mentions watermarking under CBC but doesn't say XTS protects against
watermarking.

Does XTS provide any protection against watermarking?

Garry


Hi Garry,

For this watermarking attack to work, the CBC IV would have to be a simple counter or something similar.  If you know the character of this counter (e.g., increments by 1), you just have to create 3 consecutive sectors that each toggle the least significant bit.  Two of these three sectors will have the same encrypted starting block, so you can detect the watermark.

Note that the CBC mode as described in this watermarking article would not conform to NIST's SP 800-38A requirements for the IV within CBC.  NIST requires that the IV be either:

  1. completely random (and as such, not predictable),
  2. the result of encrypting a non-repeating nonce (effectively random), or
  3. be the last block of a previous CBC encryption (effectively random)

The lack-of-conformance (and exploitable characteristic) is due to the incrementing nature of the IV, thus making it predicable.  NIST requires that the IV be completely unpredictable.

If XTS is used according to the rules in IEEE Std 1619-2007, then I don't think the watermarking attack mentioned in this Wikipedia article is possible because the Tweak (analogous to the IV of CBC) must be different for each sector, and I can't think of a way to exploit this under XTS.  If the tweak is re-used, then the watermarking becomes possible because you've essentially got ECB mode for the blocks encrypted under the re-used tweak.

Any other thoughts or comments?

Cheers,
-Matt