[dm-crypt] Query on validating cryptsetup

All of lore.kernel.org
 help / color / mirror / Atom feed

* [dm-crypt] Query on validating cryptsetup
@ 2012-10-03 17:28 Abhishek Tiwari
  2012-10-07 19:50 ` Milan Broz
  0 siblings, 1 reply; 3+ messages in thread
From: Abhishek Tiwari @ 2012-10-03 17:28 UTC (permalink / raw)
  To: dm-crypt

[-- Attachment #1: Type: text/plain, Size: 942 bytes --]

Hi,

I am trying to use cryptsetup for an SD card. I create the crypto mapper
device and write a file to it. For the purpose of validation, I am using a
fixed key "11111111" as passphrase. Then I tried to see the contents of
this SD card using a reader and WinHex. Unfortunately these contents do not
match with an encrypted copy of same file that was encrypted using this
online DES encryption tool:
http://www.tools4noobs.com/online_tools/encrypt/
I specified algorithm as DES and mode as CBC.

When creating crypto device, my command is:
cryptsetup -c des-cbc-plain --key-size=64 --key-file=keyfile create sdcard0
/dev/sdcard0

Here, keyfile contains "11111111".

I tried with some other tools as well but could not get the exact same
output. Is there anything else that I need to look at?

Also, is there any other way I can verify my usage of keys and encryption
done using cryptsetup?

Please see if you can help. Thanks.

-- 
Abhishek

[-- Attachment #2: Type: text/html, Size: 1242 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [dm-crypt] Query on validating cryptsetup
  2012-10-03 17:28 [dm-crypt] Query on validating cryptsetup Abhishek Tiwari
@ 2012-10-07 19:50 ` Milan Broz
  2012-10-07 20:53   ` Arno Wagner
  0 siblings, 1 reply; 3+ messages in thread
From: Milan Broz @ 2012-10-07 19:50 UTC (permalink / raw)
  To: Abhishek Tiwari; +Cc: dm-crypt

On 10/03/2012 07:28 PM, Abhishek Tiwari wrote:
> I am trying to use cryptsetup for an SD card. I create the crypto
> mapper device and write a file to it. For the purpose of validation,
> I am using a fixed key "11111111" as passphrase. Then I tried to see
> the contents of this SD card using a reader and WinHex. Unfortunately
> these contents do not match with an encrypted copy of same file that
> was encrypted using this online DES encryption tool: 
> http://www.tools4noobs.com/online_tools/encrypt/ I specified
> algorithm as DES and mode as CBC.

Well, if it is real use, never use DES, it is no longer secure enough.

But for learning crypto this can be nice exercise.

First, note difference in CBC encryption for the whole file
and with dm-crypt.

For dmcrypt, it uses CBC per sector, restarting for every sector with
defined IV. (Sectors are encrypted independently.)
So you cannot compare more than one sector of ciphertext - 512 bytes
with tool above.

Whatever:
- in that PHP tool, I entered "11111111" as key
(note it is string, so it translates to 0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31)
- plaintext "test1234test5678" (2x DES 8-bytes blocks to see CBC for second block)
- encryption is DES, mode CBC, output hexa
- note php mcrypt_encrypt uses zeroed IV if not specified

So, this will get ciphertext: b43b364065cdf4571a92ba2daecaf2ff

Now, the same with cryptsetup:

- prepare keyfile
  # echo -n "11111111">keyfile

- configure cryptsetup, null is zeroed IV. Note that for keyfile there is
  no hashing (exactly what we need - directly use key form file).
  # cryptsetup -c des-cbc-null --key-size=64 --key-file=keyfile create test /dev/sdb

- you can verify what key is really used (key is 5th parameter in hexa)
  # dmsetup table --showkeys test
  0 417792 crypt des-cbc-null 3131313131313131 0 8:16 0

- write plaintext
  # echo -n "test1234test5678" >/dev/mapper/test

- flush underlying device cache to be sure we read new data (or remove dmcrypt mapping)
  # blockdev --flushbufs /dev/sdb

- and check ciphertext
  # hexdump -C -n 16 /dev/sdb
  00000000  b4 3b 36 40 65 cd f4 57  1a 92 ba 2d ae ca f2 ff  |.;6@e..W...-....|


For me, it looks like it is the same ;-)

Milan

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [dm-crypt] Query on validating cryptsetup
  2012-10-07 19:50 ` Milan Broz
@ 2012-10-07 20:53   ` Arno Wagner
  0 siblings, 0 replies; 3+ messages in thread
From: Arno Wagner @ 2012-10-07 20:53 UTC (permalink / raw)
  To: dm-crypt

On Sun, Oct 07, 2012 at 09:50:46PM +0200, Milan Broz wrote:
> On 10/03/2012 07:28 PM, Abhishek Tiwari wrote:
> > I am trying to use cryptsetup for an SD card. I create the crypto
> > mapper device and write a file to it. For the purpose of validation,
> > I am using a fixed key "11111111" as passphrase. Then I tried to see
> > the contents of this SD card using a reader and WinHex. Unfortunately
> > these contents do not match with an encrypted copy of same file that
> > was encrypted using this online DES encryption tool: 
> > http://www.tools4noobs.com/online_tools/encrypt/ I specified
> > algorithm as DES and mode as CBC.
> 
> Well, if it is real use, never use DES, it is no longer secure enough.

Indeed. Known plaintext attack for DES is doable some hours now.
I still remember when 56 bit DES was considered secure ;-)

Arno
-- 
Arno Wagner,    Dr. sc. techn., Dipl. Inform.,   Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell 

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2012-10-07 20:53 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-10-03 17:28 [dm-crypt] Query on validating cryptsetup Abhishek Tiwari
2012-10-07 19:50 ` Milan Broz
2012-10-07 20:53   ` Arno Wagner

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.