From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from molly.corsac.net (pic75-3-78-194-244-226.fbxo.proxad.net [78.194.244.226]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Fri, 5 Feb 2016 17:50:36 +0100 (CET) Message-ID: <1454691014.21086.37.camel@debian.org> From: Yves-Alexis Perez Date: Fri, 05 Feb 2016 17:50:14 +0100 In-Reply-To: <20160205152440.GC32199@tansi.org> References: <56B20C05.7080307@gmail.com> <1454603376.4241.5.camel@debian.org> <20160204171753.GA20874@tansi.org> <1454653850.3573.2.camel@debian.org> <20160205110232.GD29709@tansi.org> <1454678001.21086.24.camel@debian.org> <20160205133123.GA31320@tansi.org> <1454684474.21086.30.camel@debian.org> <20160205152440.GC32199@tansi.org> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-HYThSD2V/2muTxGriEHF" Mime-Version: 1.0 Subject: Re: [dm-crypt] The future of disk encryption with LUKS2 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Arno Wagner , dm-crypt@saout.de --=-HYThSD2V/2muTxGriEHF Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On ven., 2016-02-05 at 16:24 +0100, Arno Wagner wrote: > Then why are you asking about integrity protection on a list > dedicated to a block-layer encryption system? That does not make > any sense. If you state things that do not make sense then I > will point that out, because there is a real possibility that > your reasoning process (I am not implying there was none) was=C2=A0 > flawed.=C2=A0 Because integrity protection *does* make sense on block layer encryption? T= he fact that you don't have a 1:1 mapping is indeed an issue, and that's why I was asking in the context of the LUKS2 thread (where supposedly new ideas could be thrown), because solving the involved challenges would be useful i= n the context of dm-crypt. I think. You could store all ICV in a specific pla= ce in the block device, or have one block of ICVs every once in a while, or something else. It'd involve some clever calculation indeed but it might be doable. But I can perfectly understand if it's not something which interest develop= ers here, and I can perfectly take =E2=80=9Cno=E2=80=9D as an answer :) >=20 > > > And second, who says anything abot the "evil maid" changing > > > things in the encrypted container? > >=C2=A0 > > I'm not following you here. >=20 > Attacks on hardware, replacement of the disk with something that > attacks the boot process, Firewire, USB, etc. vulnerabilities,=C2=A0 > changes in non-encrypted areas, etc. This is about your external disk drive or usb where you put data on it. Thi= s is not about boot integrity or something, really. Regards, --=20 Yves-Alexis --=-HYThSD2V/2muTxGriEHF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAABCAAGBQJWtNLHAAoJEG3bU/KmdcClY3gH/0rMfpQcVMsbAXRJaPb1oF+Z bTrcvY7RuaJsqWtTUxX5hQTGB+6urEoxPBwvB62zARiwBxKdz2ZsttLnqJCg8F77 13LGf6xMZU8uhf1C6hh1zdVu9hLR667sVS0nVADZqtIncEHSuO9KEBfTvpEYHVtj nGy9YPTV10Gp91szJE0NepA5WLx73RO8FOxwTxMf3cxZ0Zi45jNdq1A6vaI5prkJ 702nQNeWLn4AIZYSEdKuwtWCypUpJyK+431HQpW4OuWVqs+7SzrApV3+NM4FbnEG e1Mh+6ahCttitW5DT4Lcc7HLh/0vHjv7PUKv6me/YD1nl5pJHn9UzAdrkiRYiEw= =f8O7 -----END PGP SIGNATURE----- --=-HYThSD2V/2muTxGriEHF--