From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p5bnRm-kbLQB for ; Mon, 23 Dec 2013 08:56:35 +0100 (CET) Received: from mail-ee0-x22b.google.com (mail-ee0-x22b.google.com [IPv6:2a00:1450:4013:c00::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Mon, 23 Dec 2013 08:56:35 +0100 (CET) Received: by mail-ee0-f43.google.com with SMTP id c13so2143040eek.16 for ; Sun, 22 Dec 2013 23:56:34 -0800 (PST) Received: from [192.168.2.18] (56.157.broadband5.iol.cz. [88.100.157.56]) by mx.google.com with ESMTPSA id o47sm43136013eem.21.2013.12.22.23.56.30 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 22 Dec 2013 23:56:33 -0800 (PST) Message-ID: <52B7ECAD.5080202@gmail.com> Date: Mon, 23 Dec 2013 08:56:29 +0100 From: Milan Broz MIME-Version: 1.0 References: <52B76261.9080408@gmail.com> <20131222230724.GA1991@phobos.panopticism.net> In-Reply-To: <20131222230724.GA1991@phobos.panopticism.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] Fwd: Practical malleability attack against CBC-Encrypted LUKS partitions List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On 12/23/2013 12:07 AM, /dev/ph0b0s wrote: > On 12/22, Milan Broz wrote: >> Below is very nice example of another "Evil maid" type attacks, >> here directly applied to LUKS CBC disks. >> >> I think it clearly shows known rule: >> If you let your machine out of your sight, it is no longer your machine. >> >> What is important (and blog mentions it) >> >> "It has already been known for a long time that CBC does not prevent >> a malleability attack (targeted manipulation of encrypted data) given >> that the attacker can modify the ciphertext and knows the corresponding >> plaintext as well." > > Even more important, in this particular case, is that this "practical > malleability attack" isn't actually very practical at all: > > "In the following I assume that we already have access to the > original plaintext and the ciphertext of one file on the system and > that we want to do our manipulations in this file:" Sure. On the other side, if you have "golden image" and all your company laptops are encrypted using the same plaintext in the beginning, this could be possible. Anyway, I do not think this attack is anything new - it is just real application of known facts on the one specific case. But it is worth to mention here. ... >> BTW blog doesn't mention that CBC is no longer default mode for cryptsetup >> and was replaced by XTS mode. > > The original post to f-d [0] that you forwarded does mention this: I meant this part: "When manually creating LUKS partitions, you should make sure to use XTS instead of CBC (which is still the default when running cryptsetup luksFormat without a cipher specification):" It is not default since 1.6.0 upstream version (and it was configurable even before for distro maintainers). Milan