From mboxrd@z Thu Jan  1 00:00:00 1970
From: Taylor Hornby <havoc@defuse.ca>
Subject: Re: [RFC 3/3] Enable GCM support in eCryptfs
Date: Wed, 22 Jan 2014 11:13:12 -0700
Message-ID: <lbp1nd$f0m$1@ger.gmane.org>
References: <52DAD571.5070801@gmail.com>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Return-path: <ecryptfs-owner@vger.kernel.org>
Received: from plane.gmane.org ([80.91.229.3]:54371 "EHLO plane.gmane.org"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753109AbaAVSNY (ORCPT <rfc822;ecryptfs@vger.kernel.org>);
	Wed, 22 Jan 2014 13:13:24 -0500
Received: from list by plane.gmane.org with local (Exim 4.69)
	(envelope-from <gcfe-ecryptfs@m.gmane.org>)
	id 1W62Il-0004tQ-TN
	for ecryptfs@vger.kernel.org; Wed, 22 Jan 2014 19:13:23 +0100
Received: from s01065404a6902716.cg.shawcable.net ([174.0.254.229])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ecryptfs@vger.kernel.org>; Wed, 22 Jan 2014 19:13:23 +0100
Received: from havoc by s01065404a6902716.cg.shawcable.net with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ecryptfs@vger.kernel.org>; Wed, 22 Jan 2014 19:13:23 +0100
In-Reply-To: <52DAD571.5070801@gmail.com>
Sender: ecryptfs-owner@vger.kernel.org
List-ID: <ecryptfs.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"
To: ecryptfs@vger.kernel.org

On 01/18/2014 12:26 PM, Will Morrison wrote:
> This patch adds support for GCM as a cipher mode in eCryptfs. If a file
> is encrypted in this mode, the layout of the lower file will change to
> accomodate it. This is due to the need to store auth tags as well as
> encrypted data.

Using a stream cipher mode like GCM without choosing a new random IV for
every write will destroy eCryptfs's security.

In GCM, the ciphertext is simply XORed with a key stream generated by
encrypting a counter. This means that the first time you write an
extent, you get:

  ciphertext1 = keystream ^ plaintext1

The second time you write to that extent (without changing the IV, which
I believe is not done), you get:

  ciphertext2 = keystream ^ plaintext2

An attacker can XOR ciphertext1 with ciphertext2 to get:

  ciphertext1 ^ ciphertext2 = plaintext1 ^ plaintext2

Which reveals them lots of information about the plaintext. Other disk
encryption software all use block modes like CBC-ESSIV or XTS to prevent
this.

See also the "Security Audit" thread.

-- 
Taylor Hornby