From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 891meeNwkVNc for ; Mon, 23 Dec 2013 00:20:03 +0100 (CET) Received: from deimos.panopticism.net (deimos.panopticism.net [8.30.239.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Mon, 23 Dec 2013 00:20:03 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by deimos.panopticism.net (Postfix) with ESMTP id 612CCECB for ; Sun, 22 Dec 2013 18:10:03 -0500 (EST) Received: from deimos.panopticism.net ([127.0.0.1]) by localhost (deimos.panopticism.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 8VkpytBr_Pnp for ; Sun, 22 Dec 2013 18:10:02 -0500 (EST) Date: Sun, 22 Dec 2013 18:07:24 -0500 From: /dev/ph0b0s Message-ID: <20131222230724.GA1991@phobos.panopticism.net> References: <52B76261.9080408@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <52B76261.9080408@gmail.com> Subject: Re: [dm-crypt] Fwd: Practical malleability attack against CBC-Encrypted LUKS partitions List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On 12/22, Milan Broz wrote: > Below is very nice example of another "Evil maid" type attacks, > here directly applied to LUKS CBC disks. > > I think it clearly shows known rule: > If you let your machine out of your sight, it is no longer your machine. > > What is important (and blog mentions it) > > "It has already been known for a long time that CBC does not prevent > a malleability attack (targeted manipulation of encrypted data) given > that the attacker can modify the ciphertext and knows the corresponding > plaintext as well." Even more important, in this particular case, is that this "practical malleability attack" isn't actually very practical at all: "In the following I assume that we already have access to the original plaintext and the ciphertext of one file on the system and that we want to do our manipulations in this file:" There are a number of other assumptions and variables that must be "just right" in order for this attack to have even a remote chance of working, e.g.: "This code can be executed from a Live CD against the encrypted partition of an Ubuntu 12.04 installation. The position of the /bin/dash file needs to be adjusted by doing a reference installation with the same disk layout on a sufficiently similar hardware." > BTW blog doesn't mention that CBC is no longer default mode for cryptsetup > and was replaced by XTS mode. The original post to f-d [0] that you forwarded does mention this: "This code can be executed from a Live CD against the encrypted partition of an Ubuntu 12.04 installation. The position of the /bin/dash file needs to be adjusted by doing a reference installation with the same disk layout on a sufficiently similar hardware. [...] When choosing to encrypt the system with the Ubuntu 12.10 installer, the encryption is set up with mode aes-xts-plain64, which is not vulnerable to this attack." It's certainly interesting from a technical perspective but this is simply not very feasible. /p [0]: http://archives.neohapsis.com/archives/fulldisclosure/2013-12/0187.html