From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KQkE9a-HwrSl for ; Wed, 3 Oct 2012 19:28:56 +0200 (CEST) Received: from mail-oa0-f50.google.com (mail-oa0-f50.google.com [209.85.219.50]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Wed, 3 Oct 2012 19:28:55 +0200 (CEST) Received: by oagn16 with SMTP id n16so9290771oag.37 for ; Wed, 03 Oct 2012 10:28:54 -0700 (PDT) MIME-Version: 1.0 Date: Wed, 3 Oct 2012 18:28:54 +0100 Message-ID: From: Abhishek Tiwari Content-Type: multipart/alternative; boundary=e89a8ff1c14c0ada7204cb2af997 Subject: [dm-crypt] Query on validating cryptsetup List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de --e89a8ff1c14c0ada7204cb2af997 Content-Type: text/plain; charset=ISO-8859-1 Hi, I am trying to use cryptsetup for an SD card. I create the crypto mapper device and write a file to it. For the purpose of validation, I am using a fixed key "11111111" as passphrase. Then I tried to see the contents of this SD card using a reader and WinHex. Unfortunately these contents do not match with an encrypted copy of same file that was encrypted using this online DES encryption tool: http://www.tools4noobs.com/online_tools/encrypt/ I specified algorithm as DES and mode as CBC. When creating crypto device, my command is: cryptsetup -c des-cbc-plain --key-size=64 --key-file=keyfile create sdcard0 /dev/sdcard0 Here, keyfile contains "11111111". I tried with some other tools as well but could not get the exact same output. Is there anything else that I need to look at? Also, is there any other way I can verify my usage of keys and encryption done using cryptsetup? Please see if you can help. Thanks. -- Abhishek --e89a8ff1c14c0ada7204cb2af997 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi,

I am trying to use cryptsetup for an SD card. I crea= te the crypto mapper device and write a file to it. For the purpose of vali= dation, I am using a fixed key "11111111" as passphrase. Then I t= ried to see the contents of this SD card using a reader and WinHex. Unfortu= nately these contents do not match with an encrypted copy of same file that= was encrypted using this online DES encryption tool:
I specified algorithm= as DES and mode as CBC.

When creating crypto devi= ce, my command is:
cryptsetup -c des-cbc-plain --key-size=3D64 --key-file=3Dkeyfile creat= e sdcard0 /dev/sdcard0

Here, keyfile contains &quo= t;11111111".

I tried with some other tools as= well but could not get the exact same output. Is there anything else that = I need to look at?=A0

Also, is there any other way I can verify my usage of k= eys and encryption done using cryptsetup?

Please s= ee if you can help. Thanks.

--
Abhishek
--e89a8ff1c14c0ada7204cb2af997-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OnDNqbjb-zQU for ; Sun, 7 Oct 2012 21:50:50 +0200 (CEST) Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Sun, 7 Oct 2012 21:50:49 +0200 (CEST) Received: by mail-wg0-f44.google.com with SMTP id dr13so3129767wgb.1 for ; Sun, 07 Oct 2012 12:50:49 -0700 (PDT) Message-ID: <5071DD16.8030301@gmail.com> Date: Sun, 07 Oct 2012 21:50:46 +0200 From: Milan Broz MIME-Version: 1.0 References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] Query on validating cryptsetup List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Abhishek Tiwari Cc: dm-crypt@saout.de On 10/03/2012 07:28 PM, Abhishek Tiwari wrote: > I am trying to use cryptsetup for an SD card. I create the crypto > mapper device and write a file to it. For the purpose of validation, > I am using a fixed key "11111111" as passphrase. Then I tried to see > the contents of this SD card using a reader and WinHex. Unfortunately > these contents do not match with an encrypted copy of same file that > was encrypted using this online DES encryption tool: > http://www.tools4noobs.com/online_tools/encrypt/ I specified > algorithm as DES and mode as CBC. Well, if it is real use, never use DES, it is no longer secure enough. But for learning crypto this can be nice exercise. First, note difference in CBC encryption for the whole file and with dm-crypt. For dmcrypt, it uses CBC per sector, restarting for every sector with defined IV. (Sectors are encrypted independently.) So you cannot compare more than one sector of ciphertext - 512 bytes with tool above. Whatever: - in that PHP tool, I entered "11111111" as key (note it is string, so it translates to 0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31) - plaintext "test1234test5678" (2x DES 8-bytes blocks to see CBC for second block) - encryption is DES, mode CBC, output hexa - note php mcrypt_encrypt uses zeroed IV if not specified So, this will get ciphertext: b43b364065cdf4571a92ba2daecaf2ff Now, the same with cryptsetup: - prepare keyfile # echo -n "11111111">keyfile - configure cryptsetup, null is zeroed IV. Note that for keyfile there is no hashing (exactly what we need - directly use key form file). # cryptsetup -c des-cbc-null --key-size=64 --key-file=keyfile create test /dev/sdb - you can verify what key is really used (key is 5th parameter in hexa) # dmsetup table --showkeys test 0 417792 crypt des-cbc-null 3131313131313131 0 8:16 0 - write plaintext # echo -n "test1234test5678" >/dev/mapper/test - flush underlying device cache to be sure we read new data (or remove dmcrypt mapping) # blockdev --flushbufs /dev/sdb - and check ciphertext # hexdump -C -n 16 /dev/sdb 00000000 b4 3b 36 40 65 cd f4 57 1a 92 ba 2d ae ca f2 ff |.;6@e..W...-....| For me, it looks like it is the same ;-) Milan From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vANCz2rrAaHL for ; Sun, 7 Oct 2012 22:53:46 +0200 (CEST) Received: from v4.tansi.org (ns.km33513-03.keymachine.de [87.118.94.3]) by mail.saout.de (Postfix) with ESMTP for ; Sun, 7 Oct 2012 22:53:45 +0200 (CEST) Received: from gatewagner.dyndns.org (84-72-142-78.dclient.hispeed.ch [84.72.142.78]) by v4.tansi.org (Postfix) with ESMTPA id 21F961404001 for ; Sun, 7 Oct 2012 22:53:45 +0200 (CEST) Date: Sun, 7 Oct 2012 22:53:44 +0200 From: Arno Wagner Message-ID: <20121007205344.GA6260@tansi.org> References: <5071DD16.8030301@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5071DD16.8030301@gmail.com> Subject: Re: [dm-crypt] Query on validating cryptsetup List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On Sun, Oct 07, 2012 at 09:50:46PM +0200, Milan Broz wrote: > On 10/03/2012 07:28 PM, Abhishek Tiwari wrote: > > I am trying to use cryptsetup for an SD card. I create the crypto > > mapper device and write a file to it. For the purpose of validation, > > I am using a fixed key "11111111" as passphrase. Then I tried to see > > the contents of this SD card using a reader and WinHex. Unfortunately > > these contents do not match with an encrypted copy of same file that > > was encrypted using this online DES encryption tool: > > http://www.tools4noobs.com/online_tools/encrypt/ I specified > > algorithm as DES and mode as CBC. > > Well, if it is real use, never use DES, it is no longer secure enough. Indeed. Known plaintext attack for DES is doable some hours now. I still remember when 56 bit DES was considered secure ;-) Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell