Re: [dm-crypt] Encrypted Raid1 or Raid 1 of encrypted devices?

[Arno Wagner <arno@wagner.name>]

On Thu, Jul 14, 2011 at 09:17:33AM +0300, Yaron Sheffer wrote:
> Hi Arno,
> 
> I agree that most practical considerations point towards encrypt-over-RAID.
> 
> But in fact from a security point of view, it seems to me the
> situation is reversed. Looking at RAID-over-encryption, I disagree
> that having the same plaintext encrypted over multiple keys is a
> concern with modern ciphers. 

You have to take into account that this is a non-moving target, 
i.e. disk encryption. Still, the security-loss should be small.

> The real concern with most full disk
> encryption (and dm-crypt in particular) is integrity protection: the
> ability of an attacker to change the ciphertext undetected. This
> ability is greatly hampered when the attacker needs to coordinate
> the attacks on two mirrored blocks, otherwise the two copies would
> not be consistent.

You possibly think that not having access to the RAID superblock
(as it is encrypted) will make this manipulation much harder. 
My take is that as soon as the attacker is on your device, he/she
can patch cryptsetup and then waut until you enter your passphrase.
Disk-encryption really only protects against attackers that 
only have access once and not while you are working on or opening
the device. This applies mostly to the case whre your device
is stolen. I don't agree that integrity protection has any
role in ordinary scenarios. And if you have a special scenario
where it plays a role, you should not use LUKS or dm-crypt anyways,
as it does not offer integrity protection, plain and simple.

> I haven't researched all figerprinting attacks and the interaction
> with various ways of generating IVs, so my intuition may still be
> proven wrong.

I thing your risk model is wrong. Basically it covers attacks
were the attacker has access to only the storage and at the same 
time can actually do something serious with data manipulation.
That is a rather unlikely scenario for disk encryption. Note that
for communication encryption, this is a real and valid scenario.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier