* [dm-crypt] Fwd: Practical malleability attack against CBC-Encrypted LUKS partitions
[not found] <CAH8yC8=i5x0My2ZMJrj8oikE8t6vQUGUX8WP2PC1uhO6HS=Mbw@mail.gmail.com>
@ 2013-12-22 22:06 ` Milan Broz
2013-12-22 23:07 ` /dev/ph0b0s
0 siblings, 1 reply; 4+ messages in thread
From: Milan Broz @ 2013-12-22 22:06 UTC (permalink / raw)
To: dm-crypt
Below is very nice example of another "Evil maid" type attacks,
here directly applied to LUKS CBC disks.
I think it clearly shows known rule:
If you let your machine out of your sight, it is no longer your machine.
What is important (and blog mentions it)
"It has already been known for a long time that CBC does not prevent
a malleability attack (targeted manipulation of encrypted data) given
that the attacker can modify the ciphertext and knows the corresponding
plaintext as well."
There is no integrity protection in LUKS devices (even cannot be
for transparent disk encryption because there is no additional space
to store integrity checksum / authentization tag data).
Modification (random or malicious) of ciphertext is simply not detectable
on the LUKS/dmcrypt level.
BTW blog doesn't mention that CBC is no longer default mode for cryptsetup
and was replaced by XTS mode.
Milan
>
> http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/
>
> I. Abstract
>
> The most popular full disk encryption solution for Linux is LUKS
> (Linux Unified Key Setup), which provides an easy to use encryption
> layer for block devices. By default, newly generated LUKS devices are
> set up with 256-bit AES in CBC mode. Since there is no integrity
> protection/checksum, it is obviously possible to destroy parts of
> plaintext files by changing the corresponding ciphertext blocks.
> Nevertheless many users expect the encryption to make sure that an
> attacker can only change the plaintext to an unpredictable random
> value. The CBC mode used by default in LUKS however allows some more
> targeted manipulation of the plaintext file given that the attacker
> knows the original plaintext. This article demonstrates how this can
> be used to inject a full remote code execution backdoor into an
> encrypted installation of Ubuntu 12.04 created by the alternate
> installer (the default installer of Ubuntu 12.04 doesn’t allow setting
> up full disk encryption).
> ...
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Fwd: Practical malleability attack against CBC-Encrypted LUKS partitions
2013-12-22 22:06 ` [dm-crypt] Fwd: Practical malleability attack against CBC-Encrypted LUKS partitions Milan Broz
@ 2013-12-22 23:07 ` /dev/ph0b0s
2013-12-23 7:56 ` Milan Broz
2013-12-23 11:13 ` Arno Wagner
0 siblings, 2 replies; 4+ messages in thread
From: /dev/ph0b0s @ 2013-12-22 23:07 UTC (permalink / raw)
To: dm-crypt
On 12/22, Milan Broz wrote:
> Below is very nice example of another "Evil maid" type attacks,
> here directly applied to LUKS CBC disks.
>
> I think it clearly shows known rule:
> If you let your machine out of your sight, it is no longer your machine.
>
> What is important (and blog mentions it)
>
> "It has already been known for a long time that CBC does not prevent
> a malleability attack (targeted manipulation of encrypted data) given
> that the attacker can modify the ciphertext and knows the corresponding
> plaintext as well."
Even more important, in this particular case, is that this "practical
malleability attack" isn't actually very practical at all:
"In the following I assume that we already have access to the
original plaintext and the ciphertext of one file on the system and
that we want to do our manipulations in this file:"
There are a number of other assumptions and variables that must be "just right"
in order for this attack to have even a remote chance of working, e.g.:
"This code can be executed from a Live CD against the encrypted
partition of an Ubuntu 12.04 installation. The position of the
/bin/dash file needs to be adjusted by doing a reference
installation with the same disk layout on a sufficiently similar
hardware."
> BTW blog doesn't mention that CBC is no longer default mode for cryptsetup
> and was replaced by XTS mode.
The original post to f-d [0] that you forwarded does mention this:
"This code can be executed from a Live CD against the encrypted
partition of an Ubuntu 12.04 installation. The position of the
/bin/dash file needs to be adjusted by doing a reference
installation with the same disk layout on a sufficiently similar
hardware. [...] When choosing to encrypt the system with the Ubuntu
12.10 installer, the encryption is set up with mode aes-xts-plain64,
which is not vulnerable to this attack."
It's certainly interesting from a technical perspective but this is
simply not very feasible.
/p
[0]: http://archives.neohapsis.com/archives/fulldisclosure/2013-12/0187.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Fwd: Practical malleability attack against CBC-Encrypted LUKS partitions
2013-12-22 23:07 ` /dev/ph0b0s
@ 2013-12-23 7:56 ` Milan Broz
2013-12-23 11:13 ` Arno Wagner
1 sibling, 0 replies; 4+ messages in thread
From: Milan Broz @ 2013-12-23 7:56 UTC (permalink / raw)
To: dm-crypt
On 12/23/2013 12:07 AM, /dev/ph0b0s wrote:
> On 12/22, Milan Broz wrote:
>> Below is very nice example of another "Evil maid" type attacks,
>> here directly applied to LUKS CBC disks.
>>
>> I think it clearly shows known rule:
>> If you let your machine out of your sight, it is no longer your machine.
>>
>> What is important (and blog mentions it)
>>
>> "It has already been known for a long time that CBC does not prevent
>> a malleability attack (targeted manipulation of encrypted data) given
>> that the attacker can modify the ciphertext and knows the corresponding
>> plaintext as well."
>
> Even more important, in this particular case, is that this "practical
> malleability attack" isn't actually very practical at all:
>
> "In the following I assume that we already have access to the
> original plaintext and the ciphertext of one file on the system and
> that we want to do our manipulations in this file:"
Sure. On the other side, if you have "golden image" and all your
company laptops are encrypted using the same plaintext in the beginning,
this could be possible.
Anyway, I do not think this attack is anything new - it is just real
application of known facts on the one specific case.
But it is worth to mention here.
...
>> BTW blog doesn't mention that CBC is no longer default mode for cryptsetup
>> and was replaced by XTS mode.
>
> The original post to f-d [0] that you forwarded does mention this:
I meant this part:
"When manually creating LUKS partitions, you should make sure to use XTS
instead of CBC (which is still the default when running cryptsetup
luksFormat without a cipher specification):"
It is not default since 1.6.0 upstream version (and it was configurable
even before for distro maintainers).
Milan
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Fwd: Practical malleability attack against CBC-Encrypted LUKS partitions
2013-12-22 23:07 ` /dev/ph0b0s
2013-12-23 7:56 ` Milan Broz
@ 2013-12-23 11:13 ` Arno Wagner
1 sibling, 0 replies; 4+ messages in thread
From: Arno Wagner @ 2013-12-23 11:13 UTC (permalink / raw)
To: dm-crypt
On Mon, Dec 23, 2013 at 00:07:24 CET, /dev/ph0b0s wrote:
> On 12/22, Milan Broz wrote:
> > Below is very nice example of another "Evil maid" type attacks,
> > here directly applied to LUKS CBC disks.
> >
> > I think it clearly shows known rule:
> > If you let your machine out of your sight, it is no longer your machine.
> >
> > What is important (and blog mentions it)
> >
> > "It has already been known for a long time that CBC does not prevent
> > a malleability attack (targeted manipulation of encrypted data) given
> > that the attacker can modify the ciphertext and knows the corresponding
> > plaintext as well."
>
> Even more important, in this particular case, is that this "practical
> malleability attack" isn't actually very practical at all:
>
> "In the following I assume that we already have access to the
> original plaintext and the ciphertext of one file on the system and
> that we want to do our manipulations in this file:"
>
> There are a number of other assumptions and variables that must be "just right"
> in order for this attack to have even a remote chance of working, e.g.:
>
> "This code can be executed from a Live CD against the encrypted
> partition of an Ubuntu 12.04 installation. The position of the
> /bin/dash file needs to be adjusted by doing a reference
> installation with the same disk layout on a sufficiently similar
> hardware."
And there lies a pretty catastrophic risk: If anything goes wrong,
the target will know it has been attacked. In many scenarios this
will prevent the use of this attack.
Arno
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult. --Tony Hoare
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-12-23 11:13 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CAH8yC8=i5x0My2ZMJrj8oikE8t6vQUGUX8WP2PC1uhO6HS=Mbw@mail.gmail.com>
2013-12-22 22:06 ` [dm-crypt] Fwd: Practical malleability attack against CBC-Encrypted LUKS partitions Milan Broz
2013-12-22 23:07 ` /dev/ph0b0s
2013-12-23 7:56 ` Milan Broz
2013-12-23 11:13 ` Arno Wagner
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.