* [dm-crypt] Fwd: Practical malleability attack against CBC-Encrypted LUKS partitions [not found] <CAH8yC8=i5x0My2ZMJrj8oikE8t6vQUGUX8WP2PC1uhO6HS=Mbw@mail.gmail.com> @ 2013-12-22 22:06 ` Milan Broz 2013-12-22 23:07 ` /dev/ph0b0s 0 siblings, 1 reply; 4+ messages in thread From: Milan Broz @ 2013-12-22 22:06 UTC (permalink / raw) To: dm-crypt Below is very nice example of another "Evil maid" type attacks, here directly applied to LUKS CBC disks. I think it clearly shows known rule: If you let your machine out of your sight, it is no longer your machine. What is important (and blog mentions it) "It has already been known for a long time that CBC does not prevent a malleability attack (targeted manipulation of encrypted data) given that the attacker can modify the ciphertext and knows the corresponding plaintext as well." There is no integrity protection in LUKS devices (even cannot be for transparent disk encryption because there is no additional space to store integrity checksum / authentization tag data). Modification (random or malicious) of ciphertext is simply not detectable on the LUKS/dmcrypt level. BTW blog doesn't mention that CBC is no longer default mode for cryptsetup and was replaced by XTS mode. Milan > > http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/ > > I. Abstract > > The most popular full disk encryption solution for Linux is LUKS > (Linux Unified Key Setup), which provides an easy to use encryption > layer for block devices. By default, newly generated LUKS devices are > set up with 256-bit AES in CBC mode. Since there is no integrity > protection/checksum, it is obviously possible to destroy parts of > plaintext files by changing the corresponding ciphertext blocks. > Nevertheless many users expect the encryption to make sure that an > attacker can only change the plaintext to an unpredictable random > value. The CBC mode used by default in LUKS however allows some more > targeted manipulation of the plaintext file given that the attacker > knows the original plaintext. This article demonstrates how this can > be used to inject a full remote code execution backdoor into an > encrypted installation of Ubuntu 12.04 created by the alternate > installer (the default installer of Ubuntu 12.04 doesn’t allow setting > up full disk encryption). > ... ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Fwd: Practical malleability attack against CBC-Encrypted LUKS partitions 2013-12-22 22:06 ` [dm-crypt] Fwd: Practical malleability attack against CBC-Encrypted LUKS partitions Milan Broz @ 2013-12-22 23:07 ` /dev/ph0b0s 2013-12-23 7:56 ` Milan Broz 2013-12-23 11:13 ` Arno Wagner 0 siblings, 2 replies; 4+ messages in thread From: /dev/ph0b0s @ 2013-12-22 23:07 UTC (permalink / raw) To: dm-crypt On 12/22, Milan Broz wrote: > Below is very nice example of another "Evil maid" type attacks, > here directly applied to LUKS CBC disks. > > I think it clearly shows known rule: > If you let your machine out of your sight, it is no longer your machine. > > What is important (and blog mentions it) > > "It has already been known for a long time that CBC does not prevent > a malleability attack (targeted manipulation of encrypted data) given > that the attacker can modify the ciphertext and knows the corresponding > plaintext as well." Even more important, in this particular case, is that this "practical malleability attack" isn't actually very practical at all: "In the following I assume that we already have access to the original plaintext and the ciphertext of one file on the system and that we want to do our manipulations in this file:" There are a number of other assumptions and variables that must be "just right" in order for this attack to have even a remote chance of working, e.g.: "This code can be executed from a Live CD against the encrypted partition of an Ubuntu 12.04 installation. The position of the /bin/dash file needs to be adjusted by doing a reference installation with the same disk layout on a sufficiently similar hardware." > BTW blog doesn't mention that CBC is no longer default mode for cryptsetup > and was replaced by XTS mode. The original post to f-d [0] that you forwarded does mention this: "This code can be executed from a Live CD against the encrypted partition of an Ubuntu 12.04 installation. The position of the /bin/dash file needs to be adjusted by doing a reference installation with the same disk layout on a sufficiently similar hardware. [...] When choosing to encrypt the system with the Ubuntu 12.10 installer, the encryption is set up with mode aes-xts-plain64, which is not vulnerable to this attack." It's certainly interesting from a technical perspective but this is simply not very feasible. /p [0]: http://archives.neohapsis.com/archives/fulldisclosure/2013-12/0187.html ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Fwd: Practical malleability attack against CBC-Encrypted LUKS partitions 2013-12-22 23:07 ` /dev/ph0b0s @ 2013-12-23 7:56 ` Milan Broz 2013-12-23 11:13 ` Arno Wagner 1 sibling, 0 replies; 4+ messages in thread From: Milan Broz @ 2013-12-23 7:56 UTC (permalink / raw) To: dm-crypt On 12/23/2013 12:07 AM, /dev/ph0b0s wrote: > On 12/22, Milan Broz wrote: >> Below is very nice example of another "Evil maid" type attacks, >> here directly applied to LUKS CBC disks. >> >> I think it clearly shows known rule: >> If you let your machine out of your sight, it is no longer your machine. >> >> What is important (and blog mentions it) >> >> "It has already been known for a long time that CBC does not prevent >> a malleability attack (targeted manipulation of encrypted data) given >> that the attacker can modify the ciphertext and knows the corresponding >> plaintext as well." > > Even more important, in this particular case, is that this "practical > malleability attack" isn't actually very practical at all: > > "In the following I assume that we already have access to the > original plaintext and the ciphertext of one file on the system and > that we want to do our manipulations in this file:" Sure. On the other side, if you have "golden image" and all your company laptops are encrypted using the same plaintext in the beginning, this could be possible. Anyway, I do not think this attack is anything new - it is just real application of known facts on the one specific case. But it is worth to mention here. ... >> BTW blog doesn't mention that CBC is no longer default mode for cryptsetup >> and was replaced by XTS mode. > > The original post to f-d [0] that you forwarded does mention this: I meant this part: "When manually creating LUKS partitions, you should make sure to use XTS instead of CBC (which is still the default when running cryptsetup luksFormat without a cipher specification):" It is not default since 1.6.0 upstream version (and it was configurable even before for distro maintainers). Milan ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Fwd: Practical malleability attack against CBC-Encrypted LUKS partitions 2013-12-22 23:07 ` /dev/ph0b0s 2013-12-23 7:56 ` Milan Broz @ 2013-12-23 11:13 ` Arno Wagner 1 sibling, 0 replies; 4+ messages in thread From: Arno Wagner @ 2013-12-23 11:13 UTC (permalink / raw) To: dm-crypt On Mon, Dec 23, 2013 at 00:07:24 CET, /dev/ph0b0s wrote: > On 12/22, Milan Broz wrote: > > Below is very nice example of another "Evil maid" type attacks, > > here directly applied to LUKS CBC disks. > > > > I think it clearly shows known rule: > > If you let your machine out of your sight, it is no longer your machine. > > > > What is important (and blog mentions it) > > > > "It has already been known for a long time that CBC does not prevent > > a malleability attack (targeted manipulation of encrypted data) given > > that the attacker can modify the ciphertext and knows the corresponding > > plaintext as well." > > Even more important, in this particular case, is that this "practical > malleability attack" isn't actually very practical at all: > > "In the following I assume that we already have access to the > original plaintext and the ciphertext of one file on the system and > that we want to do our manipulations in this file:" > > There are a number of other assumptions and variables that must be "just right" > in order for this attack to have even a remote chance of working, e.g.: > > "This code can be executed from a Live CD against the encrypted > partition of an Ubuntu 12.04 installation. The position of the > /bin/dash file needs to be adjusted by doing a reference > installation with the same disk layout on a sufficiently similar > hardware." And there lies a pretty catastrophic risk: If anything goes wrong, the target will know it has been attacked. In many scenarios this will prevent the use of this attack. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult. --Tony Hoare ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-12-23 11:13 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CAH8yC8=i5x0My2ZMJrj8oikE8t6vQUGUX8WP2PC1uhO6HS=Mbw@mail.gmail.com>
2013-12-22 22:06 ` [dm-crypt] Fwd: Practical malleability attack against CBC-Encrypted LUKS partitions Milan Broz
2013-12-22 23:07 ` /dev/ph0b0s
2013-12-23 7:56 ` Milan Broz
2013-12-23 11:13 ` Arno Wagner
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.