* [dm-crypt] Use of GCM mode with dm-crypt @ 2011-04-27 8:40 Samantha Adams 2011-04-27 9:41 ` Milan Broz 0 siblings, 1 reply; 5+ messages in thread From: Samantha Adams @ 2011-04-27 8:40 UTC (permalink / raw) To: dm-crypt [-- Attachment #1: Type: text/plain, Size: 469 bytes --] I would like to continue the post from December 2010 concerning GCM as it seems to be one of the few available modes to provide data integrity. It is true that GCM adds the authenication tag in every sector and as result we are going to have a sector bigger in size. So, it makes it unsuitable for use with dmcrypt. But is it possible to allocate some space elsewhere for the tag ? Are they any possible modifications we could make so we could use gcm with dmcrypt ? [-- Attachment #2: Type: text/html, Size: 688 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] Use of GCM mode with dm-crypt 2011-04-27 8:40 [dm-crypt] Use of GCM mode with dm-crypt Samantha Adams @ 2011-04-27 9:41 ` Milan Broz 2011-04-27 13:43 ` Arno Wagner 0 siblings, 1 reply; 5+ messages in thread From: Milan Broz @ 2011-04-27 9:41 UTC (permalink / raw) To: Samantha Adams; +Cc: dm-crypt On 04/27/2011 10:40 AM, Samantha Adams wrote: > I would like to continue the post from December 2010 concerning GCM > as it seems to be one of the few available modes to provide data > integrity. > > It is true that GCM adds the authenication tag in every sector and as > result we are going to have a sector bigger in size. So, it makes it > unsuitable for use with dmcrypt. Exactly. dmcrypt provides just transparent encryption so the ciphertext device and plaintext device is of the same size, we have no space to store authentication tag to. > But is it possible to allocate some space elsewhere for the tag ? Are > they any possible modifications we could make so we could use gcm > with dmcrypt ? Basically it would be new encryption DM target (it can share code but the mapping here is different). The crucial question where do you want to store authentication tag... If there is some standard way, perhaphs it can be done. But isn't better to provide these integrity services to filesystem on top of dmcrypt? (so fs can allocate blocks storing integrity info) Milan ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] Use of GCM mode with dm-crypt 2011-04-27 9:41 ` Milan Broz @ 2011-04-27 13:43 ` Arno Wagner 2011-05-03 12:22 ` Samantha Adams 0 siblings, 1 reply; 5+ messages in thread From: Arno Wagner @ 2011-04-27 13:43 UTC (permalink / raw) To: dm-crypt On Wed, Apr 27, 2011 at 11:41:01AM +0200, Milan Broz wrote: > On 04/27/2011 10:40 AM, Samantha Adams wrote: [...] > Basically it would be new encryption DM target (it can share code > but the mapping here is different). > > The crucial question where do you want to store authentication tag... > If there is some standard way, perhaphs it can be done. > > But isn't better to provide these integrity services to filesystem > on top of dmcrypt? (so fs can allocate blocks storing integrity info) In my view, integrity check, just as compression (and the filesystem itself) all belong on top of encryption. For the other two, this is obvious. For the integrity check, what is the FS layer to do if it fails? If you have error correction or redundancy in the FS, then it can do something, but on crypto-layer you can just propagate the error and handling would be done elsewhere. Also note that the problem of storing the tags.checksums goes away on the FS layer, as one of the primary tasks of a FS is storing metadata. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] Use of GCM mode with dm-crypt 2011-04-27 13:43 ` Arno Wagner @ 2011-05-03 12:22 ` Samantha Adams 2011-05-03 12:46 ` Will Drewry 0 siblings, 1 reply; 5+ messages in thread From: Samantha Adams @ 2011-05-03 12:22 UTC (permalink / raw) To: dm-crypt [-- Attachment #1: Type: text/plain, Size: 1942 bytes --] Probably the best solution is to check integrity in the FS layer. Concerning gcm, in my opinion, it's a pity that we can't use an AE mode onf encryption because in this way we would be able to also check data authenticity. Anyway, thank you all for you answers ! :) Sam On Wed, Apr 27, 2011 at 3:43 PM, Arno Wagner <arno@wagner.name> wrote: > On Wed, Apr 27, 2011 at 11:41:01AM +0200, Milan Broz wrote: > > On 04/27/2011 10:40 AM, Samantha Adams wrote: > [...] > > Basically it would be new encryption DM target (it can share code > > but the mapping here is different). > > > > The crucial question where do you want to store authentication tag... > > If there is some standard way, perhaphs it can be done. > > > > But isn't better to provide these integrity services to filesystem > > on top of dmcrypt? (so fs can allocate blocks storing integrity info) > > In my view, integrity check, just as compression (and the filesystem > itself) all belong on top of encryption. For the other two, this is > obvious. For the integrity check, what is the FS layer to do if it > fails? If you have error correction or redundancy in the FS, then > it can do something, but on crypto-layer you can just propagate the > error and handling would be done elsewhere. Also note that the > problem of storing the tags.checksums goes away on the FS layer, > as one of the primary tasks of a FS is storing metadata. > > Arno > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: > arno@wagner.name > GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 > 338F > ---- > Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans > > If it's in the news, don't worry about it. The very definition of > "news" is "something that hardly ever happens." -- Bruce Schneier > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > [-- Attachment #2: Type: text/html, Size: 2559 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] Use of GCM mode with dm-crypt 2011-05-03 12:22 ` Samantha Adams @ 2011-05-03 12:46 ` Will Drewry 0 siblings, 0 replies; 5+ messages in thread From: Will Drewry @ 2011-05-03 12:46 UTC (permalink / raw) To: Samantha Adams; +Cc: dm-crypt FWIW, putting integrity checking at the filesystem layer should be done carefully as well. If your threat model includes attacks resulting from attacker-controlled metadata, then you may still be exposed to a variety of issues in the filesystem layer itself (even if it is difficult for an attacker to do reliably given how great dm-crypt is :). I've had good experience layering a dm target for block-level integrity checking under the fs layer as it avoids the risks associated and gets all the nice benefits of the block cache, etc. (The target my project uses isn't upstream yet, but after a lot of in-progress cleanup, we hope it will be![1]). The approach should layer just fine with dm-crypt as well. Anyway, just my two cents. Cheers! will 1 - http://git.chromium.org/gitweb/?p=chromiumos/third_party/kernel.git;a=blob;f=Documentation/device-mapper/dm-verity.txt On Tue, May 3, 2011 at 5:22 AM, Samantha Adams <saman.adams@gmail.com> wrote: > Probably the best solution is to check integrity in the FS layer. > > Concerning gcm, in my opinion, it's a pity that we can't use an AE mode onf > encryption because in this way we would be able to also check data > authenticity. > > Anyway, thank you all for you answers ! :) > > Sam > > On Wed, Apr 27, 2011 at 3:43 PM, Arno Wagner <arno@wagner.name> wrote: >> >> On Wed, Apr 27, 2011 at 11:41:01AM +0200, Milan Broz wrote: >> > On 04/27/2011 10:40 AM, Samantha Adams wrote: >> [...] >> > Basically it would be new encryption DM target (it can share code >> > but the mapping here is different). >> > >> > The crucial question where do you want to store authentication tag... >> > If there is some standard way, perhaphs it can be done. >> > >> > But isn't better to provide these integrity services to filesystem >> > on top of dmcrypt? (so fs can allocate blocks storing integrity info) >> >> In my view, integrity check, just as compression (and the filesystem >> itself) all belong on top of encryption. For the other two, this is >> obvious. For the integrity check, what is the FS layer to do if it >> fails? If you have error correction or redundancy in the FS, then >> it can do something, but on crypto-layer you can just propagate the >> error and handling would be done elsewhere. Also note that the >> problem of storing the tags.checksums goes away on the FS layer, >> as one of the primary tasks of a FS is storing metadata. >> >> Arno >> -- >> Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: >> arno@wagner.name >> GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 >> 338F >> ---- >> Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans >> >> If it's in the news, don't worry about it. The very definition of >> "news" is "something that hardly ever happens." -- Bruce Schneier >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@saout.de >> http://www.saout.de/mailman/listinfo/dm-crypt > > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-05-03 12:46 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-04-27 8:40 [dm-crypt] Use of GCM mode with dm-crypt Samantha Adams 2011-04-27 9:41 ` Milan Broz 2011-04-27 13:43 ` Arno Wagner 2011-05-03 12:22 ` Samantha Adams 2011-05-03 12:46 ` Will Drewry
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.