From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] blkid and aes-cbc-plain/aes-cbc-essiv:sha256
Date: Tue, 13 Mar 2012 15:56:33 +0100 [thread overview]
Message-ID: <20120313145633.GA16934@tansi.org> (raw)
In-Reply-To: <2451c2f8f9dec229cee7eadb6dd82207.squirrel@ssl.verfeiert.org>
In fact it is impossible to distinguish ciphers except by looking
whether the decrypted contents makes sense. On the other hand,
looking for structire in the decrypted data works well, but
to distinguish mode in addition to cipher, you have to look
at more than just one cipher block. Ideally look at the whole
sector. Now, if you know what filesystem is supposed to be in
there, you can try to recognize its first block. Or you can to
a (sample) entropy analysis for a the whole first block decrypted.
That would identify the mode quite reliably if (and only if) the
first block is ensured to have relatively low entropy in
decrypted state.
That said, I agree that guessing is not the right approach.
What if, for example, there is an old first block
lying around, but the new crypto-container is at an offset?
In that case not even the cipher or the key might be the same!
Arno
On Tue, Mar 13, 2012 at 03:46:40PM +0100, Sven Eschenberg wrote:
> What Milan said is this:
>
> It is impossible to distinguish between ESSIV and non ESSIV modes. The
> only means of knowing which is right is when the read data seems to be
> plausible.
>
> But that's the very problem: what do you consider plausible?
>
> Here's an example, plain and ESSIV look the same (at the relevant area on
> disk) and thus a FS signature is found, the FS driver tries to mount the
> FS and then detects, that the rest of the FS structures seem to be broken.
> It fails. Or it might aswell try to recover the FS and by doing so corrupt
> the data irreversibly.
>
> This becomes even more problematic, if the Volume does not host a FS but
> something else.
>
> Thus the only sane approach is, to not do any 'educated' guessing, since
> it might work in some (or even many) cases, but corrupts significant
> amounts of data, when it fails.
>
> (I chose educated guessing, since auto-detection implies that you can make
> sure your detection result is valid)
>
> Regards
>
> -Sven
>
>
>
> On Tue, March 13, 2012 02:03, .. ink .. wrote:
> > Thanks for your quick response,
> >
> >
> >> For plain mode, user must provide the cipher, mode and keysize.
> >> Please do not invent autodetection - you just proved it will lead
> >> to data corruption. This is one of the reasons why LUKS was invented,
> >> where cipher and mode is stored in metadata.
> >>
> >
> >
> >>
> >>> My suggestion is to ignore "aes-cbc-plain" and just use current default
> >> (and give user option to overwrite it manually).
> >>
> >> Milan
> >>
> >
> > My tool is meant to be simple, that means the user provides only a path to
> > encrypted volume and a passphrase .All other options are default and hard
> > coded and a user can not change them.If a user want to use non default
> > option then the tool is too simple for them as it will lead to unnecessary
> > complexity.
> >
> > Below is what happen when a user provides a path to an encrypted volume
> > and
> > a passphrase to open a volume
> >
> > 1. The volume is checked to see if its luks or not. If it is, it is then
> > opened as luks with luks default as they are 1.4.1.
> >
> > 2. If a volume is not luks, it is then assumed to be plain and the first
> > attempt is to open it with plain defaults as they are in 1.4.1. If that
> > fail, it is then opened as plain with default values are they were in
> > 1.3.0
> >
> > I do not see any danger with the current design of supporting both plain
> > modes as long as,as it currently appear to be, mount can distinguish the
> > two. The advise to drop "legacy mode" will make sense if the mount
> > failure
> > is not a guaranteed way to distinguish the two(.it seem to be working so
> > far with vfat, ext3/4 file systems). Is this what you are saying?
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> >
>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell
next prev parent reply other threads:[~2012-03-13 14:56 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-12 21:30 [dm-crypt] blkid and aes-cbc-plain/aes-cbc-essiv:sha256 .. ink ..
2012-03-12 22:36 ` Milan Broz
2012-03-13 1:03 ` .. ink ..
2012-03-13 14:46 ` Sven Eschenberg
2012-03-13 14:56 ` Arno Wagner [this message]
2012-03-13 16:14 ` .. ink ..
2012-03-13 18:34 ` Arno Wagner
2012-03-13 17:49 ` Javier Juan Martínez Cabezón
2012-03-13 18:38 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120313145633.GA16934@tansi.org \
--to=arno@wagner.name \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.