From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <wagner@tansi.org>
Received: from tansi.org (ns.km10532-04.keymachine.de [87.118.102.195])
	by mail.saout.de (Postfix) with ESMTP
	for <dm-crypt@saout.de>; Mon, 16 Aug 2010 16:21:40 +0200 (CEST)
Received: from gatewagner.dyndns.org (84-74-164-239.dclient.hispeed.ch
	[84.74.164.239]) by tansi.org (Postfix) with ESMTPA id C41601218366
	for <dm-crypt@saout.de>; Mon, 16 Aug 2010 16:21:39 +0200 (CEST)
Date: Mon, 16 Aug 2010 16:21:39 +0200
From: Arno Wagner <arno@wagner.name>
Message-ID: <20100816142139.GA26251@tansi.org>
References: <20100726210741.GC24052@tansi.org>
	<1280180557.3266.136.camel@fermat.scientia.net>
	<slrni4s7ac.lr8.Mario.Holbe@darkside.dyn.samba-tng.org>
	<4C682354.50907@web.de> <20100815221051.GA13494@tansi.org>
	<1281963344.4c69355004f56@www.inmano.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1281963344.4c69355004f56@www.inmano.com>
Subject: Re: [dm-crypt] Efficacy of xts over 1TB
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On Mon, Aug 16, 2010 at 02:55:44PM +0200, octane indice wrote:
> En r?ponse ? Arno Wagner <arno@wagner.name> :
> > Well, if the attacker mirrors your network traffic with iSCSI,
> > encryption does not matter anymore for any change analysis.
> >
> I don't know if it is the right place to ask, but do you have
> any links with this "change analysis" thing ?

Not really. What it does is expose on sector level (xts, EME)
what parts of the filesystem are changed. The idea is that
this can form a distinctice pattern, for example "Netscape
is launching", "An email was received in mbox format" or
"A Skype connection was initiated". In some contexts, this 
type of information leakage can be a risk. 

Typically this is only a risk in a SigInt context, were 
people have long ago given up reading content (because 
it is too much effort with encryption or even infeasible), 
but look at traffic patterns. For example, it seems you can 
pretty clearly see from the pattern whether a military 
attack is imminent.

This is advanced IT Security vodoo and not really relevant
for most users. The one context I can think of were it
becomes relevant is if a specific application intentionally
cause some kind of pattern to either signal it has been
started or to actually leak information. For example
a corrupted encryption program couls signal key-bits
to the world in this fashion. Note that this is not
really relevant for anything that has net access, as there 
bits are far easier to leak or directly send to the attacker.
For most typical usage it is not a relevant threat.

If you have questions, I will be happy to elaborate more.

Arno

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier