[dm-crypt] Use of GCM mode with dm-crypt

[dm-crypt] Use of GCM mode with dm-crypt

[Samantha Adams]

[-- Attachment #1: Type: text/plain, Size: 469 bytes --]

I would like to continue the post from December 2010 concerning GCM as it
seems to be one of the few available modes to provide data integrity.

It is true that GCM adds the authenication tag in every sector and as result
we are going to have a sector bigger in size. So, it makes it unsuitable for
use with dmcrypt.

But is it possible to allocate some space elsewhere for the tag ? Are they
any possible modifications we could make so we could use gcm with dmcrypt ?

[-- Attachment #2: Type: text/html, Size: 688 bytes --]

Re: [dm-crypt] Use of GCM mode with dm-crypt

[Milan Broz]

On 04/27/2011 10:40 AM, Samantha Adams wrote:
> I would like to continue the post from December 2010 concerning GCM
> as it seems to be one of the few available modes to provide data
> integrity.
> 
> It is true that GCM adds the authenication tag in every sector and as
> result we are going to have a sector bigger in size. So, it makes it
> unsuitable for use with dmcrypt.

Exactly. dmcrypt provides just transparent encryption so the ciphertext
device and plaintext device is of the same size, we have no space
to store authentication tag to.

> But is it possible to allocate some space elsewhere for the tag ? Are
> they any possible modifications we could make so we could use gcm
> with dmcrypt ?

Basically it would be new encryption DM target (it can share code
but the mapping here is different).

The crucial question where do you want to store authentication tag...
If there is some standard way, perhaphs it can be done.

But isn't better to provide these integrity services to filesystem
on top of dmcrypt? (so fs can allocate blocks storing integrity info)

Milan

Re: [dm-crypt] Use of GCM mode with dm-crypt

[Arno Wagner]

On Wed, Apr 27, 2011 at 11:41:01AM +0200, Milan Broz wrote:
> On 04/27/2011 10:40 AM, Samantha Adams wrote:
[...] 
> Basically it would be new encryption DM target (it can share code
> but the mapping here is different).
> 
> The crucial question where do you want to store authentication tag...
> If there is some standard way, perhaphs it can be done.
> 
> But isn't better to provide these integrity services to filesystem
> on top of dmcrypt? (so fs can allocate blocks storing integrity info)

In my view, integrity check, just as compression (and the filesystem
itself) all belong on top of encryption. For the other two, this is
obvious. For the integrity check, what is the FS layer to do if it
fails? If you have error correction or redundancy in the FS, then
it can do something, but on crypto-layer you can just propagate the
error and handling would be done elsewhere. Also note that the 
problem of storing the tags.checksums goes away on the FS layer,
as one of the primary tasks of a FS is storing metadata.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] Use of GCM mode with dm-crypt

[Samantha Adams]

[-- Attachment #1: Type: text/plain, Size: 1942 bytes --]

Probably the best solution is to check integrity in the FS layer.

Concerning gcm, in my opinion, it's a pity that we can't use an AE mode onf
encryption because in this way we would be able to also check data
authenticity.

Anyway, thank you all for you answers ! :)

Sam

On Wed, Apr 27, 2011 at 3:43 PM, Arno Wagner <arno@wagner.name> wrote:

> On Wed, Apr 27, 2011 at 11:41:01AM +0200, Milan Broz wrote:
> > On 04/27/2011 10:40 AM, Samantha Adams wrote:
> [...]
> > Basically it would be new encryption DM target (it can share code
> > but the mapping here is different).
> >
> > The crucial question where do you want to store authentication tag...
> > If there is some standard way, perhaphs it can be done.
> >
> > But isn't better to provide these integrity services to filesystem
> > on top of dmcrypt? (so fs can allocate blocks storing integrity info)
>
> In my view, integrity check, just as compression (and the filesystem
> itself) all belong on top of encryption. For the other two, this is
> obvious. For the integrity check, what is the FS layer to do if it
> fails? If you have error correction or redundancy in the FS, then
> it can do something, but on crypto-layer you can just propagate the
> error and handling would be done elsewhere. Also note that the
> problem of storing the tags.checksums goes away on the FS layer,
> as one of the primary tasks of a FS is storing metadata.
>
> Arno
> --
> Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email:
> arno@wagner.name
> GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25
> 338F
> ----
> Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
>
> If it's in the news, don't worry about it.  The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>

[-- Attachment #2: Type: text/html, Size: 2559 bytes --]

Re: [dm-crypt] Use of GCM mode with dm-crypt

[Will Drewry]

FWIW, putting integrity checking at the filesystem layer should be
done carefully as well.  If your threat model includes attacks
resulting from attacker-controlled metadata, then you may still be
exposed to a variety of issues in the filesystem layer itself (even if
it is difficult for an attacker to do reliably given how great
dm-crypt is :).

I've had good experience layering a dm target for block-level
integrity checking under the fs layer as it avoids the risks
associated and gets all the nice benefits of the block cache, etc.
(The target my project uses isn't upstream yet, but after a lot of
in-progress cleanup, we hope it will be![1]).  The approach should
layer just fine with dm-crypt as well.

Anyway, just my two cents.  Cheers!
will

1 - http://git.chromium.org/gitweb/?p=chromiumos/third_party/kernel.git;a=blob;f=Documentation/device-mapper/dm-verity.txt

On Tue, May 3, 2011 at 5:22 AM, Samantha Adams <saman.adams@gmail.com> wrote:
> Probably the best solution is to check integrity in the FS layer.
>
> Concerning gcm, in my opinion, it's a pity that we can't use an AE mode onf
> encryption because in this way we would be able to also check data
> authenticity.
>
> Anyway, thank you all for you answers ! :)
>
> Sam
>
> On Wed, Apr 27, 2011 at 3:43 PM, Arno Wagner <arno@wagner.name> wrote:
>>
>> On Wed, Apr 27, 2011 at 11:41:01AM +0200, Milan Broz wrote:
>> > On 04/27/2011 10:40 AM, Samantha Adams wrote:
>> [...]
>> > Basically it would be new encryption DM target (it can share code
>> > but the mapping here is different).
>> >
>> > The crucial question where do you want to store authentication tag...
>> > If there is some standard way, perhaphs it can be done.
>> >
>> > But isn't better to provide these integrity services to filesystem
>> > on top of dmcrypt? (so fs can allocate blocks storing integrity info)
>>
>> In my view, integrity check, just as compression (and the filesystem
>> itself) all belong on top of encryption. For the other two, this is
>> obvious. For the integrity check, what is the FS layer to do if it
>> fails? If you have error correction or redundancy in the FS, then
>> it can do something, but on crypto-layer you can just propagate the
>> error and handling would be done elsewhere. Also note that the
>> problem of storing the tags.checksums goes away on the FS layer,
>> as one of the primary tasks of a FS is storing metadata.
>>
>> Arno
>> --
>> Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email:
>> arno@wagner.name
>> GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25
>> 338F
>> ----
>> Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
>>
>> If it's in the news, don't worry about it.  The very definition of
>> "news" is "something that hardly ever happens." -- Bruce Schneier
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>
>