[PATCH] Delete cryptoloop

[PATCH] Delete cryptoloop

[James Morris]

This patch deletes cryptoloop, which is buggy, unmaintained, and
reportedly has mutliple security weaknesses. Dropping cryptoloop should
also help dm-crypt receive more testing and review.

I haven't updated the defconfigs, is this something for arch maintainers 
to manage?

 drivers/block/Kconfig      |   22 ---
 drivers/block/Makefile     |    1 
 drivers/block/cryptoloop.c |  268 
---------------------------------------------
 3 files changed, 2 insertions(+), 289 deletions(-)


diff -urN a/drivers/block/cryptoloop.c b/drivers/block/cryptoloop.c
--- a/drivers/block/cryptoloop.c	2004-07-21 15:40:46.000000000 -0400
+++ b/drivers/block/cryptoloop.c	1969-12-31 19:00:00.000000000 -0500
@@ -1,268 +0,0 @@
-/*
-   Linux loop encryption enabling module
-
-   Copyright (C)  2002 Herbert Valerio Riedel <hvr@gnu.org>
-   Copyright (C)  2003 Fruhwirth Clemens <clemens@endorphin.org>
-
-   This module is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
-   (at your option) any later version.
-
-   This module is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this module; if not, write to the Free Software
-   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- */
-
-#include <linux/module.h>
-
-#include <linux/init.h>
-#include <linux/string.h>
-#include <linux/crypto.h>
-#include <linux/blkdev.h>
-#include <linux/loop.h>
-#include <asm/semaphore.h>
-#include <asm/uaccess.h>
-
-MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("loop blockdevice transferfunction adaptor / CryptoAPI");
-MODULE_AUTHOR("Herbert Valerio Riedel <hvr@gnu.org>");
-
-#define LOOP_IV_SECTOR_BITS 9
-#define LOOP_IV_SECTOR_SIZE (1 << LOOP_IV_SECTOR_BITS)
-
-static int
-cryptoloop_init(struct loop_device *lo, const struct loop_info64 *info)
-{
-	int err = -EINVAL;
-	char cms[LO_NAME_SIZE];			/* cipher-mode string */
-	char *cipher;
-	char *mode;
-	char *cmsp = cms;			/* c-m string pointer */
-	struct crypto_tfm *tfm = NULL;
-
-	/* encryption breaks for non sector aligned offsets */
-
-	if (info->lo_offset % LOOP_IV_SECTOR_SIZE)
-		goto out;
-
-	strncpy(cms, info->lo_crypt_name, LO_NAME_SIZE);
-	cms[LO_NAME_SIZE - 1] = 0;
-	cipher = strsep(&cmsp, "-");
-	mode = strsep(&cmsp, "-");
-
-	if (mode == NULL || strcmp(mode, "cbc") == 0)
-		tfm = crypto_alloc_tfm(cipher, CRYPTO_TFM_MODE_CBC);
-	else if (strcmp(mode, "ecb") == 0)
-		tfm = crypto_alloc_tfm(cipher, CRYPTO_TFM_MODE_ECB);
-	if (tfm == NULL)
-		return -EINVAL;
-
-	err = tfm->crt_u.cipher.cit_setkey(tfm, info->lo_encrypt_key,
-					   info->lo_encrypt_key_size);
-	
-	if (err != 0)
-		goto out_free_tfm;
-
-	lo->key_data = tfm;
-	return 0;
-
- out_free_tfm:
-	crypto_free_tfm(tfm);
-
- out:
-	return err;
-}
-
-
-typedef int (*encdec_ecb_t)(struct crypto_tfm *tfm,
-			struct scatterlist *sg_out,
-			struct scatterlist *sg_in,
-			unsigned int nsg);
-
-
-static int
-cryptoloop_transfer_ecb(struct loop_device *lo, int cmd,
-			struct page *raw_page, unsigned raw_off,
-			struct page *loop_page, unsigned loop_off,
-			int size, sector_t IV)
-{
-	struct crypto_tfm *tfm = (struct crypto_tfm *) lo->key_data;
-	struct scatterlist sg_out = { NULL, };
-	struct scatterlist sg_in = { NULL, };
-
-	encdec_ecb_t encdecfunc;
-	struct page *in_page, *out_page;
-	unsigned in_offs, out_offs;
-
-	if (cmd == READ) {
-		in_page = raw_page;
-		in_offs = raw_off;
-		out_page = loop_page;
-		out_offs = loop_off;
-		encdecfunc = tfm->crt_u.cipher.cit_decrypt;
-	} else {
-		in_page = loop_page;
-		in_offs = loop_off;
-		out_page = raw_page;
-		out_offs = raw_off;
-		encdecfunc = tfm->crt_u.cipher.cit_encrypt;
-	}
-
-	while (size > 0) {
-		const int sz = min(size, LOOP_IV_SECTOR_SIZE);
-
-		sg_in.page = in_page;
-		sg_in.offset = in_offs;
-		sg_in.length = sz;
-
-		sg_out.page = out_page;
-		sg_out.offset = out_offs;
-		sg_out.length = sz;
-
-		encdecfunc(tfm, &sg_out, &sg_in, sz);
-
-		size -= sz;
-		in_offs += sz;
-		out_offs += sz;
-	}
-
-	return 0;
-}
-
-typedef int (*encdec_cbc_t)(struct crypto_tfm *tfm,
-			struct scatterlist *sg_out,
-			struct scatterlist *sg_in,
-			unsigned int nsg, u8 *iv);
-
-static int
-cryptoloop_transfer_cbc(struct loop_device *lo, int cmd,
-			struct page *raw_page, unsigned raw_off,
-			struct page *loop_page, unsigned loop_off,
-			int size, sector_t IV)
-{
-	struct crypto_tfm *tfm = (struct crypto_tfm *) lo->key_data;
-	struct scatterlist sg_out = { NULL, };
-	struct scatterlist sg_in = { NULL, };
-
-	encdec_cbc_t encdecfunc;
-	struct page *in_page, *out_page;
-	unsigned in_offs, out_offs;
-
-	if (cmd == READ) {
-		in_page = raw_page;
-		in_offs = raw_off;
-		out_page = loop_page;
-		out_offs = loop_off;
-		encdecfunc = tfm->crt_u.cipher.cit_decrypt_iv;
-	} else {
-		in_page = loop_page;
-		in_offs = loop_off;
-		out_page = raw_page;
-		out_offs = raw_off;
-		encdecfunc = tfm->crt_u.cipher.cit_encrypt_iv;
-	}
-
-	while (size > 0) {
-		const int sz = min(size, LOOP_IV_SECTOR_SIZE);
-		u32 iv[4] = { 0, };
-		iv[0] = cpu_to_le32(IV & 0xffffffff);
-
-		sg_in.page = in_page;
-		sg_in.offset = in_offs;
-		sg_in.length = sz;
-
-		sg_out.page = out_page;
-		sg_out.offset = out_offs;
-		sg_out.length = sz;
-
-		encdecfunc(tfm, &sg_out, &sg_in, sz, (u8 *)iv);
-
-		IV++;
-		size -= sz;
-		in_offs += sz;
-		out_offs += sz;
-	}
-
-	return 0;
-}
-
-static int
-cryptoloop_transfer(struct loop_device *lo, int cmd,
-		    struct page *raw_page, unsigned raw_off,
-		    struct page *loop_page, unsigned loop_off,
-		    int size, sector_t IV)
-{
-	struct crypto_tfm *tfm = (struct crypto_tfm *) lo->key_data;
-	if(tfm->crt_cipher.cit_mode == CRYPTO_TFM_MODE_ECB)
-	{
-		lo->transfer = cryptoloop_transfer_ecb;
-		return cryptoloop_transfer_ecb(lo, cmd, raw_page, raw_off,
-					       loop_page, loop_off, size, IV);
-	}	
-	if(tfm->crt_cipher.cit_mode == CRYPTO_TFM_MODE_CBC)
-	{	
-		lo->transfer = cryptoloop_transfer_cbc;
-		return cryptoloop_transfer_cbc(lo, cmd, raw_page, raw_off,
-					       loop_page, loop_off, size, IV);
-	}
-	
-	/*  This is not supposed to happen */
-
-	printk( KERN_ERR "cryptoloop: unsupported cipher mode in cryptoloop_transfer!\n");
-	return -EINVAL;
-}
-
-static int
-cryptoloop_ioctl(struct loop_device *lo, int cmd, unsigned long arg)
-{
-	return -EINVAL;
-}
-
-static int
-cryptoloop_release(struct loop_device *lo)
-{
-	struct crypto_tfm *tfm = (struct crypto_tfm *) lo->key_data;
-	if (tfm != NULL) {
-		crypto_free_tfm(tfm);
-		lo->key_data = NULL;
-		return 0;
-	}
-	printk(KERN_ERR "cryptoloop_release(): tfm == NULL?\n");
-	return -EINVAL;
-}
-
-static struct loop_func_table cryptoloop_funcs = {
-	.number = LO_CRYPT_CRYPTOAPI,
-	.init = cryptoloop_init,
-	.ioctl = cryptoloop_ioctl,
-	.transfer = cryptoloop_transfer,
-	.release = cryptoloop_release,
-	.owner = THIS_MODULE
-};
-
-static int __init
-init_cryptoloop(void)
-{
-	int rc = loop_register_transfer(&cryptoloop_funcs);
-
-	if (rc)
-		printk(KERN_ERR "cryptoloop: loop_register_transfer failed\n");
-	return rc;
-}
-
-static void __exit
-cleanup_cryptoloop(void)
-{
-	if (loop_unregister_transfer(LO_CRYPT_CRYPTOAPI))
-		printk(KERN_ERR
-			"cryptoloop: loop_unregister_transfer failed\n");
-}
-
-module_init(init_cryptoloop);
-module_exit(cleanup_cryptoloop);
diff -urN a/drivers/block/Kconfig b/drivers/block/Kconfig
--- a/drivers/block/Kconfig	2004-07-21 15:40:46.000000000 -0400
+++ b/drivers/block/Kconfig	2004-07-21 15:53:02.000000000 -0400
@@ -229,12 +229,8 @@
 	  on a remote file server.
 
 	  There are several ways of encrypting disks. Some of these require
-	  kernel patches. The vanilla kernel offers the cryptoloop option
-	  and a Device Mapper target (which is superior, as it supports all
-	  file systems). If you want to use the cryptoloop, say Y to both
-	  LOOP and CRYPTOLOOP, and make sure you have a recent (version 2.12
-	  or later) version of util-linux. Additionally, be aware that
-	  the cryptoloop is not safe for storing journaled filesystems.
+	  kernel patches. The vanilla kernel offers a Device Mapper target
+	  which supports all file systems.
 
 	  Note that this loop device has nothing to do with the loopback
 	  device used for network connections from the machine to itself.
@@ -244,20 +240,6 @@
 
 	  Most users will answer N here.
 
-config BLK_DEV_CRYPTOLOOP
-	tristate "Cryptoloop Support"
-	select CRYPTO
-	depends on BLK_DEV_LOOP
-	---help---
-	  Say Y here if you want to be able to use the ciphers that are 
-	  provided by the CryptoAPI as loop transformation. This might be
-	  used as hard disk encryption.
-
-	  WARNING: This device is not safe for journaled file systems like
-	  ext3 or Reiserfs. Please use the Device Mapper crypto module
-	  instead, which can be configured to be on-disk compatible with the
-	  cryptoloop device.
-
 config BLK_DEV_NBD
 	tristate "Network block device support"
 	depends on NET
diff -urN a/drivers/block/Makefile b/drivers/block/Makefile
--- a/drivers/block/Makefile	2004-07-21 15:40:46.000000000 -0400
+++ b/drivers/block/Makefile	2004-07-21 15:53:41.000000000 -0400
@@ -38,7 +38,6 @@
 
 obj-$(CONFIG_BLK_DEV_UMEM)	+= umem.o
 obj-$(CONFIG_BLK_DEV_NBD)	+= nbd.o
-obj-$(CONFIG_BLK_DEV_CRYPTOLOOP) += cryptoloop.o
 
 obj-$(CONFIG_VIODASD)		+= viodasd.o
 obj-$(CONFIG_BLK_DEV_SX8)	+= sx8.o

Re: [PATCH] Delete cryptoloop

[David S. Miller]

On Wed, 21 Jul 2004 16:16:34 -0400 (EDT)
James Morris <jmorris@redhat.com> wrote:

> I haven't updated the defconfigs, is this something for arch maintainers 
> to manage?

Yes, usually that is how things work out.

Re: [PATCH] Delete cryptoloop

[Andrew Morton]

James Morris <jmorris@redhat.com> wrote:
>
> This patch deletes cryptoloop,

OK - if nobody complains convincingly we'll drop cryptoloop out of 2.6.9.

> which is buggy, unmaintained, and
> reportedly has mutliple security weaknesses.

Doesn't dm-crypt have the same security weaknesses?

Re: [PATCH] Delete cryptoloop

[James Morris]

On Wed, 21 Jul 2004, Andrew Morton wrote:

> > which is buggy, unmaintained, and
> > reportedly has mutliple security weaknesses.
> 
> Doesn't dm-crypt have the same security weaknesses?

Jari Ruusu claims that anything with on-disk cryptoloop compatibility is 
vulnerable to dictionary attacks and IV deduction.  Fruhwirth Clemens 
claims that this is FUD, per the thread below.

http://marc.theaimsgroup.com/?l=linux-kernel&m=108447509327847&w=2

It would be good if we could get some further review on the issue by an 
independent, well known cryptographer.


- James
-- 
James Morris
<jmorris@redhat.com>

Re: [PATCH] Delete cryptoloop

[Matthias Urlichs]

Hi, James Morris wrote:

> It would be good if we could get some further review on the issue by an 
> independent, well known cryptographer.

Well, I'm not, but ...

AFAIK, the main issue is: If I write some data to the start of block N, I
get a bit pattern. If I write the same data *anywhere* else (the middle of
block N, the start of block M != N, a different on-disk bit pattern must
result.

If there are identical bit patterns, then the system is vulnerable.
Obviously, this vulnerability doesn't depend on whether you're using
cryptoloop or dm-crypt.

-- 
Matthias Urlichs

Re: [PATCH] Delete cryptoloop

[H. Peter Anvin]

Followup to:  <pan.2004.07.22.07.43.41.872460@smurf.noris.de>
By author:    Matthias Urlichs <smurf@smurf.noris.de>
In newsgroup: linux.dev.kernel
>
> Hi, James Morris wrote:
> 
> > It would be good if we could get some further review on the issue by an 
> > independent, well known cryptographer.
> 
> Well, I'm not, but ...
> 
> AFAIK, the main issue is: If I write some data to the start of block N, I
> get a bit pattern. If I write the same data *anywhere* else (the middle of
> block N, the start of block M != N, a different on-disk bit pattern must
> result.
> 
> If there are identical bit patterns, then the system is vulnerable.
> Obviously, this vulnerability doesn't depend on whether you're using
> cryptoloop or dm-crypt.
> 

So does cryptoloop use a different IV for different blocks?  The need
for the IV to be secret is different for different ciphers, but for
block ciphers the rule is that is must not repeat, and at least
according to some people must not be trivially predictable.  One way
to do that is to use a secure hash of (key,block #) as the IV.

	-hpa

Re: [PATCH] Delete cryptoloop

[Jack Lloyd]

On Thu, Jul 22, 2004 at 02:14:42PM +0000, H. Peter Anvin wrote:

> So does cryptoloop use a different IV for different blocks?  The need
> for the IV to be secret is different for different ciphers, but for
> block ciphers the rule is that is must not repeat, and at least
> according to some people must not be trivially predictable.  One way
> to do that is to use a secure hash of (key,block #) as the IV.

Using an HMAC for this (with the input being the block #) seems like a better
idea, as there is less risk of leaking bits of the key if any attack on the
hash is found. Since secure hash == SHA-1 or better, you would have to truncate
it to use as an IV for a 64 or 128 bit cipher, which would make it harder for
someone looking at the IVs to make a guess on the key, but HMAC is pretty
cheap.

For block ciphers in CBC mode, simply not repeating and being somewhat
non-predictable is sufficient. That's easy enough.

For something like, say, counter mode, you have to make sure that they never
overlap; not only will a repeated IV cause trouble, but if one block is
encrypted with a particular IV, and another block is encrypted with IV + n
(viewing them as integers), then you'll leak some of the plaintext, because the
cipher stream will get reused. The obvious solution is to just use the (block
ID << log2(sector_size)) as the IV. The IV doesn't have to be unpredictable at
all for counter mode. The shift is needed, otherwise the second block of sector
2 will be encrypted with the same counter as the first block of sector one.

I'm not aware of any cipher or cipher mode where the IV or nonce has to be kept
secret from an attacker.

Jack

Re: [PATCH] Delete cryptoloop

[David Wagner]

James Morris  wrote:
>It would be good if we could get some further review on the issue by an 
>independent, well known cryptographer.

I'd be glad to review it if someone can point me to a clear, concise
description of the scheme (trying to extract the spec from the code
is too much work for me).

M.J. Saarinen's attack seems to be real, if that's what you're asking
about.  IV generation is important; if you choose IVs poorly, then you
can end up with some weaknesses even if the underlying block cipher is
perfectly fine.  (I noticed that some posts from, e.g., Clemens were
confused about this point.  If you use a great cipher in a bad mode of
operation, you can easily end up with an insecure system.  The existence
of an attack against such a system is not in contradiction to the security
of the underlying block cipher against chosen plaintext attacks.)

Re: [PATCH] Delete cryptoloop

[James Morris]

On Wed, 28 Jul 2004, David Wagner wrote:

> James Morris  wrote:
> >It would be good if we could get some further review on the issue by an 
> >independent, well known cryptographer.
> 
> I'd be glad to review it if someone can point me to a clear, concise
> description of the scheme (trying to extract the spec from the code
> is too much work for me).

That would be great.  It would be best to do this review for dm-crypt.  

Christophe, is there a detailed description of the existing scheme?



- James
-- 
James Morris
<jmorris@redhat.com>

Re: [PATCH] Delete cryptoloop

[Christophe Saout]

[-- Attachment #1: Type: text/plain, Size: 1433 bytes --]

Am Mittwoch, den 28.07.2004, 20:27 -0400 schrieb James Morris:

> > James Morris  wrote:
> > >It would be good if we could get some further review on the issue by an 
> > >independent, well known cryptographer.
> > 
> > I'd be glad to review it if someone can point me to a clear, concise
> > description of the scheme (trying to extract the spec from the code
> > is too much work for me).
> 
> That would be great.  It would be best to do this review for dm-crypt.  
> 
> Christophe, is there a detailed description of the existing scheme?

I can explain it here, it's pretty simple:

IV = sector number (little endian, 32 bits), pad with zeroes

The actual content is then encoded using the selected cipher and key in
CBC mode.

For those who don't know what exactly that means:

C[0] = E(IV     xor P[0])
C[1] = E(C[0]   xor P[1])
...
C[n] = E(C[n-1] xor P[n])

C is the encrypted data, P the plaintext data. The block size is given
by the cipher (usually 128 bit or something like that). E is the
encryption using cipher and key.

This is done for every sector.

The weakness is that the IV is known. You can write specially crafted
blocks on the disk and have a known plaintext for the first block.

Also see: http://clemens.endorphin.org/OnTheProblemsOfCryptoloop

One simple way to avoid this would be to compute the IV in a different
way, something based on key and sector number.


[-- Attachment #2: Dies ist ein digital signierter Nachrichtenteil --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] Delete cryptoloop

[David Wagner]

Christophe Saout writes:
> IV = sector number (little endian, 32 bits), pad with zeroes
> The actual content is then encoded using the selected cipher and key in
> CBC mode.
> C[0] = E(IV     xor P[0])
> C[1] = E(C[0]   xor P[1])
> ...

Ok, that's what I thought.  The above is pretty good, but does have some
weaknesses due to the IV selection.  CBC mode needs uniformly random IVs
for security; using a counter can cause occasional information leakage.

1) Accidental leakage can happen, if you're a little unlucky.  Suppose
we have two sectors, numbered S and S' and with content P and P'
(respectively).  Check out what happens if the first block of sector
contents are related by P[0] xor P'[0] = S xor S': in this case (and
only this case), we have C[0] = C'[0].  Notice that an attacker can
recognize when this happens by just looking for a pair of sectors
whose ciphertexts start with the same block.  If he finds a pair of
sectors like this, he will be able to deduce the value P[0] xor P'[0]
(since sector numbers are known), and depending on data formats, this
might reveal relevant information about the corresponding plaintexts.

So if you're unlucky and two plaintexts are related in a special way,
some partial information can leak.  You have to ask how likely it will be
that this special relation will occur.  The answer depends on the format
of plaintexts.  If the first block of plaintexts are totally random,
then this relationship essentially never occurs (it has probability
1/2^128 for any pair of sectors, a truly negligible chance).

But, if blocks have some special formatting that makes them highly
non-random, the chance of information leakage can go up significantly.
For instance, suppose the first block of our data always contains
a 24-bit counter, little endian and padded with zeros, and suppose
we have a disk with 2^24 sectors (64 GB disk?).  Then the probability
of a special relationship between any pair of disk sectors is 1/2^24.
If 2^20 of the sectors hold data of this format, then we expect to find
about 2^20*(2^20 - 1)/2 * 1/2^24 ~= 2^15 pairs of sectors with this
special relationship.  In other words, there are about 2^15 pairs of
sectors where some partial information leaks to the attacker.

You can see that the information leakage is typically modest and limited;
in many cases, there might be no leakage at all.  Nonetheless, this is
not an ideal situation.  As a cryptographer, one would usually consider
this a flawed design (primarily because it is so easy to do better).
There are known ways to prevent this attack; for instance, IV = E(sector
number) or IV = HMAC(sector number) should be much better.

2) Intentional leakage can happen, if the attacker can exert any influence
over the data you store on your disk.  If I remember correctly, I think
this is M.J. Saarinen's scenario: the attacker specially chooses the
contents of your disk sectors to increase the probability of information
leakage (as described above), the attacker can arrange for this leakage
to occur with very high probability.  In the watermarking attack, the
attacker uses the absence/presence of leakage to determine whether your
disk contains a copy of his watermarked file.

The above analysis is only directed towards the threat model where the
attacker gets physical access to your hard disk once, and you never see
it again.  For instance, think of someone who steals your laptop and then
wants to read what's on your hard drive.  I ignored scenarios where the
attacker gets repeated access to your hard disk and can see what's stored
on it each time -- e.g., the janitor pokes around inside your machine
every night at midnight.  I also ignored scenarios where the attacker
gets access to your hard disk, makes some changes to the ciphertext,
and then you continue using the machine afterwards.  There is a big pile
of devastating attacks in these more sophisticated threat models, and
it would be prudent to assume that the current scheme might be totally
insecure in such scenarios.  I can say more if you want, but I suspect
the current scheme wasn't designed for security against repeated or
active attacks.

I also didn't look at key management -- e.g., how keys are generated
(passwords?), derived, stored, and destroyed (do they end up on swap
inadvertently?).  Be aware that this is another big potential source
of vulnerabilities.

I hope this helps get you started.  Sorry that I know nothing about
cryptoloop or dm-crypt; thanks for showing me the basic mode of operation
they use.  Feel free to let me know if you want to know more about any
aspect of this problem.

> Also see: http://clemens.endorphin.org/OnTheProblemsOfCryptoloop

The reasoning on that web page looks pretty confused to me.  It looks
to me like the author of that page does not understand cryptography
very well.  The author tries to calculate the probability of a special
relationship between sectors, but overlooks the possibility that data
might be formatted in a way that increases this probability.  This is
pretty basic, standard stuff in the crypto world, to be honest, so this
kind of mistake is not encouraging.

Re: [PATCH] Delete cryptoloop

[Christophe Saout]

[-- Attachment #1: Type: text/plain, Size: 2083 bytes --]

Am Donnerstag, den 29.07.2004, 14:15 -0700 schrieb David Wagner:

> > IV = sector number (little endian, 32 bits), pad with zeroes
> > The actual content is then encoded using the selected cipher and key in
> > CBC mode.
> > C[0] = E(IV     xor P[0])
> > C[1] = E(C[0]   xor P[1])
> > ...
> 
> Ok, that's what I thought.  The above is pretty good, but does have some
> weaknesses due to the IV selection.  CBC mode needs uniformly random IVs
> for security; using a counter can cause occasional information leakage.

Yes, we already identified this problem.

> You can see that the information leakage is typically modest and limited;
> in many cases, there might be no leakage at all.  Nonetheless, this is
> not an ideal situation.  As a cryptographer, one would usually consider
> this a flawed design (primarily because it is so easy to do better).
> There are known ways to prevent this attack; for instance, IV = E(sector
> number) or IV = HMAC(sector number) should be much better.

Exactly.

But we identified more problems (I don't if these are all real issues).

Assuming the attacker has access to both plaintext and the encrypted
disk. (shared storage, user account on the machine or something)

A simple one is if you set a sector to all zeroes, due to CBC you get
tons of plaintext-encrypted pairs on the encrypted disk.

One problem would be that if he modifies a sector only the rest of that
sector changes, starting from the block he changed.
Since CBC uses C[n] = E(C[n-1] xor P[n]) he could set P[n] = C[n-1] and
then has C[n] = E(0) which could be precomputed.

This can't happen if the IV also depends on the sector content, like IV
= HMAC(sector number, P[1 .. n-1])

Or if the attacker can copy around sectors on the encrypted side (shared
storage) from one location to another location where he has read access
on the machine that can decrypt the data, he can simply read the data
except for the first block (if secured by an "random" IV). This can't be
avoided when using CBC and a single key for every sector.


[-- Attachment #2: Dies ist ein digital signierter Nachrichtenteil --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] Delete cryptoloop

[David Wagner]

> But we identified more problems (I don't if these are all real issues).
> Assuming the attacker has access to both plaintext and the encrypted
> disk. (shared storage, user account on the machine or something)
[...]

Yes, there are a host of potential attacks in this scenario.  That's why I
wrote that, if you find yourself in this threat model, it would be prudent
to assume that the current disk encryption scheme can potentially be
defeated.  Does anyone care about these threat models?  From the design,
I had assumed that no one cared, but if they are relevant in practice,
then it might make sense to investigate additional defenses.

The natural defense against these attacks would be to add a MAC, but this
has the disadvantage of increasing ciphertext lengths and thus may be
unsuitable for disk encryption.  Also, a MAC might still be susceptible
to some attacks based on cutting and splicing old ciphertext sectors
with new ciphertext sectors, or somesuch.  In other words, a vanilla MAC
does not ensure freshness (it doesn't stop replaying old ciphertexts),
unless it is augmented with additional mechanisms.  It is not clear to
me whether this would matter in practice.

An alternative possibility would be to use a tweakable block cipher.
The block width would be the size of the sector, and the sector number
would be used as the tweak.  This doesn't prevent the attacker from
fooling around with ciphertexts; it just ensures that if the attacker
changes what is on disk to some new value, then its decryption will be
randomized and unpredictable to the attacker.  One would have to spend
a little time thinking about whether this is good enough in practice.
Note that a tweakable block cipher retains the potential for replaying
old ciphertexts just like a MAC would.

Also, I haven't said anything about traffic analysis threats.  If the
attacker can observe the encrypted data on your hard disk at multiple
times, he may be able to identify some partial information about which
sectors or blocks of data have changed at which times.  There may be
some things one could do about this, if it matters to anyone.

Re: [PATCH] Delete cryptoloop

[Matt Mackall]

On Fri, Jul 30, 2004 at 05:44:24PM -0700, David Wagner wrote:
> > But we identified more problems (I don't if these are all real issues).
> > Assuming the attacker has access to both plaintext and the encrypted
> > disk. (shared storage, user account on the machine or something)
> [...]
> 
> Yes, there are a host of potential attacks in this scenario.  That's why I
> wrote that, if you find yourself in this threat model, it would be prudent
> to assume that the current disk encryption scheme can potentially be
> defeated.  Does anyone care about these threat models?  From the design,
> I had assumed that no one cared, but if they are relevant in practice,
> then it might make sense to investigate additional defenses.

Here's a probable scenario: encrypted mail spool in maildir format.
Attacker can send mail of his choosing and then later capture the
machine with the hope of breaking in.

Ideally, we'd ship a requirements and specification document that
describes the security trade-offs of cryptoloop/dm-crypt in some
detail. There are way too many unstated assumptions here.

-- 
Mathematics is the supreme nostalgia of our time.

Re: [PATCH] Delete cryptoloop

[Marc Ballarin]

On Fri, 30 Jul 2004 21:05:34 -0500
Matt Mackall <mpm@selenic.com> wrote:


> 
> Ideally, we'd ship a requirements and specification document that
> describes the security trade-offs of cryptoloop/dm-crypt in some
> detail. There are way too many unstated assumptions here.
> 

Indeed. I have just tried to start a discussion of the future design goals
on the dm-crypt mailinglist.

If you are not subscribed see
http://article.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/379

Regards

Re: [PATCH] Delete cryptoloop

[David Wagner]

Matt Mackall  wrote:
>Here's a probable scenario: encrypted mail spool in maildir format.
>Attacker can send mail of his choosing and then later capture the
>machine with the hope of breaking in.

No, actually, that's the kind of simple scenario where existing Cryptoloop
does a more or less reasonable job (in my opinion).  In a simple scenario,
the attacker can choose or exert partial control over some of the data
stored on your disk, then can steal your hard disk and see what is stored
on it, and you never see the hard disk again.  This is the scenario where
Saarinen's watermarking attack is possible, and if you're unlucky there
may be some partial information leakage as detailed in my previous email,
but nothing much worse than this (as far as I know).

The point I was making is that there are other scenarios where Cryptoloop
falls apart in much more devastating ways.  For instance, if the attacker
can modify the ciphertexts stored on your hard disk and you continue
using the hard disk afterwards, then really nasty attacks become possible.
Other attacks become possible if the attacker can observe the ciphertexts
stored on your hard disk at multiple points in time.  The question I was
asking is this: Does anyone care about these latter types of scenarios?

>Ideally, we'd ship a requirements and specification document that
>describes the security trade-offs of cryptoloop/dm-crypt in some
>detail. There are way too many unstated assumptions here.

Yes, that sounds like something that would make a lot of sense.

Re: [PATCH] Delete cryptoloop

[James Morris]

On Mon, 2 Aug 2004, David Wagner wrote:

> The point I was making is that there are other scenarios where Cryptoloop
> falls apart in much more devastating ways.  For instance, if the attacker
> can modify the ciphertexts stored on your hard disk and you continue
> using the hard disk afterwards, then really nasty attacks become possible.
> Other attacks become possible if the attacker can observe the ciphertexts
> stored on your hard disk at multiple points in time.  The question I was
> asking is this: Does anyone care about these latter types of scenarios?

I think the common threat scenarios out of the above are:

1) Attacker can observe ciphertexts at multiple points in time.
2) Attacker steals disk/computer and disappears with it.


- James
-- 
James Morris
<jmorris@redhat.com>

Re: [PATCH] Delete cryptoloop

[Jean-Luc Cooke]

On Mon, Aug 02, 2004 at 07:16:56PM -0400, James Morris wrote:
> On Mon, 2 Aug 2004, David Wagner wrote:
> 
> > The point I was making is that there are other scenarios where Cryptoloop
> > falls apart in much more devastating ways.  For instance, if the attacker
> > can modify the ciphertexts stored on your hard disk and you continue
> > using the hard disk afterwards, then really nasty attacks become possible.
> > Other attacks become possible if the attacker can observe the ciphertexts
> > stored on your hard disk at multiple points in time.  The question I was
> > asking is this: Does anyone care about these latter types of scenarios?
> 
> I think the common threat scenarios out of the above are:
> 
> 1) Attacker can observe ciphertexts at multiple points in time.
> 2) Attacker steals disk/computer and disappears with it.

Examples for #1 being: mounting a file system image across NFS (their home
directory for example).  In this case, and attacker can see almost *all* disk
reads and writes.

Thanks for your input on this David W., I was @ OLS... silly intermittent
WiFi...

JLC

Re: [PATCH] Delete cryptoloop

[dpf-lkml]

Hello James and Andrew,

Hopefully someone else will follow up, but I hope I'm somewhat convincing:

Andrew Morton said:
> James Morris <jmorris@redhat.com> wrote:
>>
>> This patch deletes cryptoloop,
>
> OK - if nobody complains convincingly we'll drop cryptoloop out of 2.6.9.
>

Cryptoloop is deprecated (since 2.6.4), but that doesn't mean it should be
deleted. As is the case with many deprecated APIs, they usually hang
around for a long time (until the next major rev) so that people have a
chance to transition their tools. Is no one else using cryptoloop? Are 5
minor revs really enough time (so far about 5 months)?

>> which is buggy, unmaintained, and
>> reportedly has mutliple security weaknesses.
>
> Doesn't dm-crypt have the same security weaknesses?
>

I don't doubt the superiority of dm-crypt. But most people using a
_deprecated_ feature would know that means "buggy, unmaintained" and with
possible weaknesses.

Perhaps a better way to communicate deprecation, instead of pulling the
rug out from under people by deleting so soon, is to inject warnings
during compilation, or even during use. Or, split off the new code into a
differently named module -- leaving a clean way to throw out the old
method.

>From the cryptoloop HOWTO website:
(http://www.tldp.org/HOWTO/Cryptoloop-HOWTO/cryptoloop-introduction.html)

"Dm-crypt is available in the main kernel since 2.6.4. Cryptoloop will
still be available in the main kernel for a long time, but dm-crypt will
be the method of choice for disk encryption in the future."

And then it goes on to say:

"It is still very new and there are no easy-to-use userspace tools
available yet. Dm-crypt is considered to be much cleaner code than
Cryptoloop, but there are some important differences. For example,
creating an ecrypted filesystem within a file will still require to go
through a loop device, but this support is still in development."

So it looks like dm-crypt is still up in the air on feature compatibility
with cryptoloop.

Deleting cryptoloop in 2.6.9 seems too soon -- even the cryptoloop HOWTO
maintainer (Ralph Hölzer) seems to expect it to hang around.

In February, lkml had essentially the same discussion.
(http://kerneltrap.org/node/view/2433)

Ditching cryptoloop completely in 2.7 after dm-crypt matures would be a
better idea.

Regards,

Dale Fountain

Re: [PATCH] Delete cryptoloop

[James Morris]

On Wed, 21 Jul 2004 dpf-lkml@fountainbay.com wrote:

> Ditching cryptoloop completely in 2.7 after dm-crypt matures would be a
> better idea.

Part of the reason for dropping cryptoloop is to help dm-crypt mature more 
quickly.

I've had some off-list email on the security of dm-crypt, and it seems
that it does need some work.  We need to get the security right more than 
we need to worry about these other issues.

Let's drop the technically inferior of the two (cryptoloop) and
concentrate on fixing the other (dm-crypt).

There was a thread on redesigning the security a while back (subject:
"dm-crypt, new IV and standards"), but no code came out of it.  Anyone 
interested should probably have a look at that.


- James
-- 
James Morris
<jmorris@redhat.com>

Re: [PATCH] Delete cryptoloop

[Paul Rolland]

Hello,

Well, we have an option to be able to select EXPERIMENTAL code when
making a configuration, why not adding on option for DEPRECATED code ?

Then, you'd just have to migrate cryptoloop into this DEPRECATED
area.

Kconfig should be able to handle that very easily !

Regards,
Paul

Paul Rolland, rol(at)as2917.net
ex-AS2917 Network administrator and Peering Coordinator

--

Please no HTML, I'm not a browser - Pas d'HTML, je ne suis pas un navigateur

"Some people dream of success... while others wake up and work hard at it" 

  

> -----Message d'origine-----
> De : linux-kernel-owner@vger.kernel.org 
> [mailto:linux-kernel-owner@vger.kernel.org] De la part de James Morris
> Envoyé : jeudi 22 juillet 2004 07:22
> À : dpf-lkml@fountainbay.com
> Cc : Andrew Morton; linux-kernel@vger.kernel.org
> Objet : Re: [PATCH] Delete cryptoloop
> 
> On Wed, 21 Jul 2004 dpf-lkml@fountainbay.com wrote:
> 
> > Ditching cryptoloop completely in 2.7 after dm-crypt 
> matures would be a
> > better idea.
> 
> Part of the reason for dropping cryptoloop is to help 
> dm-crypt mature more 
> quickly.
> 
> I've had some off-list email on the security of dm-crypt, and it seems
> that it does need some work.  We need to get the security 
> right more than 
> we need to worry about these other issues.
> 
> Let's drop the technically inferior of the two (cryptoloop) and
> concentrate on fixing the other (dm-crypt).
> 
> There was a thread on redesigning the security a while back (subject:
> "dm-crypt, new IV and standards"), but no code came out of 
> it.  Anyone 
> interested should probably have a look at that.
> 
> 
> - James
> -- 
> James Morris
> <jmorris@redhat.com>
> -
> To unsubscribe from this list: send the line "unsubscribe 
> linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 
> 

Re: [PATCH] Delete cryptoloop

[Martin Schlemmer]

[-- Attachment #1: Type: text/plain, Size: 2514 bytes --]

On Thu, 2004-07-22 at 13:58, Paul Rolland wrote:
> Hello,
> 
> Well, we have an option to be able to select EXPERIMENTAL code when
> making a configuration, why not adding on option for DEPRECATED code ?
> 
> Then, you'd just have to migrate cryptoloop into this DEPRECATED
> area.
> 

Or just mark it as BROKEN ?

> Kconfig should be able to handle that very easily !
> 
> Regards,
> Paul
> 
> Paul Rolland, rol(at)as2917.net
> ex-AS2917 Network administrator and Peering Coordinator
> 
> --
> 
> Please no HTML, I'm not a browser - Pas d'HTML, je ne suis pas un navigateur
> 
> "Some people dream of success... while others wake up and work hard at it" 
> 
>   
> 
> > -----Message d'origine-----
> > De : linux-kernel-owner@vger.kernel.org 
> > [mailto:linux-kernel-owner@vger.kernel.org] De la part de James Morris
> > Envoyé : jeudi 22 juillet 2004 07:22
> > À : dpf-lkml@fountainbay.com
> > Cc : Andrew Morton; linux-kernel@vger.kernel.org
> > Objet : Re: [PATCH] Delete cryptoloop
> > 
> > On Wed, 21 Jul 2004 dpf-lkml@fountainbay.com wrote:
> > 
> > > Ditching cryptoloop completely in 2.7 after dm-crypt 
> > matures would be a
> > > better idea.
> > 
> > Part of the reason for dropping cryptoloop is to help 
> > dm-crypt mature more 
> > quickly.
> > 
> > I've had some off-list email on the security of dm-crypt, and it seems
> > that it does need some work.  We need to get the security 
> > right more than 
> > we need to worry about these other issues.
> > 
> > Let's drop the technically inferior of the two (cryptoloop) and
> > concentrate on fixing the other (dm-crypt).
> > 
> > There was a thread on redesigning the security a while back (subject:
> > "dm-crypt, new IV and standards"), but no code came out of 
> > it.  Anyone 
> > interested should probably have a look at that.
> > 
> > 
> > - James
> > -- 
> > James Morris
> > <jmorris@redhat.com>
> > -
> > To unsubscribe from this list: send the line "unsubscribe 
> > linux-kernel" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at  http://www.tux.org/lkml/
> > 
> > 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
-- 
Martin Schlemmer

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] Delete cryptoloop

[Andrew Morton]

dpf-lkml@fountainbay.com wrote:
>
> Hopefully someone else will follow up, but I hope I'm somewhat convincing:

Not really ;)

Your points can be simplified to "I don't use cryptoloop, but someone else
might" and "we shouldn't do this in a stable kernel".

Well, I want to hear from "someone else".  If removing cryptoloop will
irritate five people, well, sorry.  If it's 5,000 people, well maybe not.


Yes, I buy the "stable kernel" principle, but here we have an example where
it conflicts with the advancement of the kernel, and we need to make a
judgement call.


Actually, my most serious concern with cryptoloop is the claim that it is
insufficiently secure.  If this is true then we'd be better off removing
the feature altogether rather than (mis)leading our users into thinking
that their data is secure.

Re: [PATCH] Delete cryptoloop

[Dale Fountain]

Andrew Morton said:
> dpf-lkml@fountainbay.com wrote:
>>
>> Hopefully someone else will follow up, but I hope I'm somewhat
>> convincing:
>
> Not really ;)
>
> Your points can be simplified to "I don't use cryptoloop, but someone else
> might" and "we shouldn't do this in a stable kernel".
>

Well, you're incorrect about my not using cryptoloop. Sorry I wasn't
convincing enough. :)

> Well, I want to hear from "someone else".  If removing cryptoloop will
> irritate five people, well, sorry.  If it's 5,000 people, well maybe not.
>

I don't think you'll get 5000 replies... about anything. ;)

> Yes, I buy the "stable kernel" principle, but here we have an example
> where
> it conflicts with the advancement of the kernel, and we need to make a
> judgement call.
>

I don't buy the "conflicts with the advancement" part, but I'll defer to
your judgement. ;)

>
> Actually, my most serious concern with cryptoloop is the claim that it is
> insufficiently secure.  If this is true then we'd be better off removing
> the feature altogether rather than (mis)leading our users into thinking
> that their data is secure.

I believe 1) the current documentation already notifies people of the
security issues, 2) there are workarounds, and 3) the replacement has
security issues of its own.

Dm-crypt is still unstable, doesn't have all the features of cryptoloop
(please see my previous message), yet you wish to dump cryptoloop? At
least cryptoloop is a known quantity.

Once dm-crypt can be shown to have all the features of the software it's
meant to _replace_, I'll be more likely to agree. Otherwise, it sounds
like this decision is being made on a whim.

Regards,

Dale Fountain

Re: [PATCH] Delete cryptoloop

[Tim Connors]

"Dale Fountain" <dpf-lkml@fountainbay.com> said on Wed, 21 Jul 2004 23:13:58 -0700 (PDT):
> Dm-crypt is still unstable, doesn't have all the features of cryptoloop
> (please see my previous message), yet you wish to dump cryptoloop? At
> least cryptoloop is a known quantity.
> 
> Once dm-crypt can be shown to have all the features of the software it's
> meant to _replace_, I'll be more likely to agree. Otherwise, it sounds
> like this decision is being made on a whim.

*cough* devfs->udev *cough*

I'm such a bastard :)

-- 
TimC -- http://astronomy.swin.edu.au/staff/tconnors/
My code is giving me mixed signals. SIGSEGV then SIGILL then SIGBUS. -- me

Re: Re: [PATCH] Delete cryptoloop

[Petr Baudis]

Dear diary, on Thu, Jul 22, 2004 at 08:47:28AM CEST, I got a letter,
where Tim Connors <tconnors+linuxkernel1090478761@astro.swin.edu.au> told me, that...
> "Dale Fountain" <dpf-lkml@fountainbay.com> said on Wed, 21 Jul 2004 23:13:58 -0700 (PDT):
> > Dm-crypt is still unstable, doesn't have all the features of cryptoloop
> > (please see my previous message), yet you wish to dump cryptoloop? At
> > least cryptoloop is a known quantity.
> > 
> > Once dm-crypt can be shown to have all the features of the software it's
> > meant to _replace_, I'll be more likely to agree. Otherwise, it sounds
> > like this decision is being made on a whim.
> 
> *cough* devfs->udev *cough*
> 
> I'm such a bastard :)

Judging from the discussion, this is really a different case. udev is
known to be already quite mature and fully replaces devfs - dm-crypt
being still quite a new player and not able to fully replace cryptoloop
yet.  So people who cannot replace cryptoloop with dm-crypt yet should
wait with upgrading from 2.6.8, backporting security fixes manually?

Another difference is that having devfs around means holding off the
drivers development globally and removing it would clean the code up a
lot - there is no such thing with removing cryptoloop, AFAIK. And I
don't buy the argument that it will encourage dm-crypt development - if
it suffers from a lack of developers interest, something else is
apparently wrong (there is either no that big need for moving away from
cryptoloop or the advantages don't balance the change effort for most
people) and forcing *users* to it won't help much; that works around the
natural selection by centralized control.

-- 
				Petr "Pasky" Baudis
Stuff: http://pasky.or.cz/
For every complex problem there is an answer that is clear, simple,
and wrong.  -- H. L. Mencken

Re: [PATCH] Delete cryptoloop

[Aiko Barz]

[-- Attachment #1: Type: text/plain, Size: 426 bytes --]

On Wed, Jul 21, 2004 at 11:13:58PM -0700, Dale Fountain wrote:
> Dm-crypt is still unstable

Did I miss something?
I use dm-crypt since 2.6.5. ALL my disks are encrypted with
dm-crypt/twofish. I couldn't detect any problems so far.

Bis denne,
        Aiko
-- 
  .~.	 Aiko Barz
  /v\ 	 
 // \\	 Mail: aiko@chroot.de
/( _ )\  Web:  http://www.chroot.de
 ^^ ^^   PGP:  http://www.chroot.de/index.php?navi=GnuPG


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] Delete cryptoloop

[Andreas Jellinghaus]

I'ma happy user of dm-crypt since march, too.
No problems here.

However I wonder: can people switch to a 2.4.*
kernel if they are using dm-crypt? Even if the
disk format is compatible, the software used
to setup the decrypted access is different.
I guess for / partitions people need to use
loop-crypt, if they want to use 2.4.* and 2.6.*
kernels?

Andreas

Re: [PATCH] Delete cryptoloop

[gadgeteer]

> Well, I want to hear from "someone else".  If removing cryptoloop will
> irritate five people, well, sorry.  If it's 5,000 people, well maybe not.

I'm not 5000 just one over-worked sysadmin.  We are using cryptoloop on
a handful of very key servers that 300+ remote offices transmit critical
data through.  I was aware of the weaknesses when I implemented but it
was the best available at the time.

Happy to migrate to dm-crypt when the userland tools are ready.
-- 
Chief Gadgeteer
Elegant Innovations

Re: [PATCH] Delete cryptoloop

[Andries Brouwer]

On Thu, Jul 22, 2004 at 01:46:49AM -0700, Andrew Morton wrote:

> Your points can be simplified to "I don't use cryptoloop, but someone else
> might" and "we shouldn't do this in a stable kernel".
> 
> Well, I want to hear from "someone else".  If removing cryptoloop will
> irritate five people, well, sorry.  If it's 5,000 people, well maybe not.
> 
> Yes, I buy the "stable kernel" principle, but here we have an example where
> it conflicts with the advancement of the kernel, and we need to make a
> judgement call.
> 
> Actually, my most serious concern with cryptoloop is the claim that it is
> insufficiently secure.  If this is true then we'd be better off removing
> the feature altogether rather than (mis)leading our users into thinking
> that their data is secure.

The above sounds wrong / misguided.

First: "(mis)leading our users into thinking that their data is secure".
Security is not a yes/no matter. There are degrees of protection against
various possible attacks.

Second: This seems to be a discussion about cryptoloop vs dm-crypt.
But dm-crypt has the same weaknesses as cryptoloop, so from a crypto
point of view there is zero reason to switch.

If there is a reason to switch it must be elegance and correctness and
robustness of kernel implementation, together with the idea that we
do not need more than one kernel implementation of roughly speaking
the same concept. Not crypto, but just loop vs dm arguments.

Third: Announcing a date for the demise of cryptoloop seems a bit premature
at a point in time when dm-crypt is not quite usable yet.

I have the impression that cryptoloop and/or loop-aes presently are used by
more than your 5000 users.

James Morris wrote:

# Jari Ruusu ... Fruhwirth Clemens ...

So far, every time I checked the details Jari Ruusu has been right.
In the present discussion Fruhwirth Clemens showed an amazing lack
of understanding of cryptography. His threat model seems limited to
things like "chosen plaintext attack" etc.
But there are so many entirely different attacks.

# Part of the reason for dropping cryptoloop is to help dm-crypt
# mature more quickly.

A very strange reason. But maybe it fits in with dropping the idea
of a stable kernel.

# I've had some off-list email on the security of dm-crypt, and it seems
# that it does need some work.  We need to get the security right more than
# we need to worry about these other issues.

Yes.

Andries

Re: [PATCH] Delete cryptoloop

[James Morris]

On Thu, 29 Jul 2004, Andries Brouwer wrote:

> # Part of the reason for dropping cryptoloop is to help dm-crypt
> # mature more quickly.
> 
> A very strange reason. But maybe it fits in with dropping the idea
> of a stable kernel.

Well, now that the kernel development model has changed (there may not be
a 2.7 in the forseeable future), just when do you drop buggy, unmaintained
code?

- James
-- 
James Morris
<jmorris@redhat.com>

Re: [PATCH] Delete cryptoloop

[Andries Brouwer]

On Thu, Jul 29, 2004 at 01:23:35PM -0400, James Morris wrote:
> On Thu, 29 Jul 2004, Andries Brouwer wrote:
> 
> > # Part of the reason for dropping cryptoloop is to help dm-crypt
> > # mature more quickly.
> > 
> > A very strange reason. But maybe it fits in with dropping the idea
> > of a stable kernel.
> 
> Well, now that the kernel development model has changed (there may not be
> a 2.7 in the forseeable future), just when do you drop buggy, unmaintained
> code?

Most of the kernel is buggy.
Most of the kernel is unmaintained.

Drop code when it has become superfluous - the same functionality
is provided by other parts, less buggy, or better maintained, or
with other redeeming features. (But very slowly - try to preserve
kernel interface stability for several years.)

Drop code when it has become superfluous - the functionality is
not needed any more.

Drop code when it is broken - some change somewhere broke it,
and no kernel developer has the knowledge, or desire, or time,
to fix it.

Drop code when it has become a burden - when the need to keep it working
causes complications al over the place.


Andries

Re: [PATCH] Delete cryptoloop

[Bill Davidsen]

James Morris wrote:
> This patch deletes cryptoloop, which is buggy, unmaintained, and
> reportedly has mutliple security weaknesses. Dropping cryptoloop should
> also help dm-crypt receive more testing and review.

What part of "stable" has escaped your attention? You want your favorite 
feature to mature more quickly, so sod all for the people using the 
existing feature. If you want to use something else go to it, but stop 
trying to make your favorite feature look better by bad-mouthing 
something else, like the politicians I see 20 times an hour on TV.

Yes there are people using cryptoloop, and as a pure matter of cost they 
are not going to change to something else, because they have to get new 
software, reconfigure disks, and most importantly retrain support 
people. You may be a single hobby user or developer, who can d/l all the 
new software, learn everything from a man page in minutes, and who never 
deals with managers or stupid user questions.

Please stop trying to break things in the stable kernel to further your 
personal agenda! This is a feature people are using, it would require a 
significant effort to change, and from what little I follow the crypto 
lists it's not universally agreed that dm-crypt is really secure, 
either. Cryptoloop is WAY better than nothing, which is what the client 
was using on laptops until last year.

-- 
    -bill davidsen (davidsen@tmr.com)
"The secret to procrastination is to put things off until the
  last possible moment - but no longer"  -me

Re: [PATCH] Delete cryptoloop

[Fruhwirth Clemens]

[-- Attachment #1: Type: text/plain, Size: 2774 bytes --]

On Wed, 2004-07-21 at 22:16, James Morris wrote:
> This patch deletes cryptoloop, which is buggy, unmaintained, and
> reportedly has mutliple security weaknesses. Dropping cryptoloop should
> also help dm-crypt receive more testing and review.

Short version:
Remove cryptoloop || mark as deprecated.

Long version:
First, dm-crypt and cryptoloop share the same on-disk format. There is
absolutely no security gain by switching to dm-crypt.

Second, modern ciphers like Twofish || AES are designed to resist
known-plaintext attacks. This is basically the FUD spread by Jari Rusuu.
But, due to a recent discussion on sci.crypt, I have been convinced that
there is in fact a security gain by obscuring the IV. To be precise, if
an attacker is able to find two identical cipher blocks on disk, he will
be able to deduce the plain text difference. The chance p that two
blocks are equal is p=1/2^128 for 128 bit block ciphers. If one of these
blocks happens to be zero this is quite bad. The chance that there are
no identical cipher blocks on a disk is given by p^(n(n-1)/2) with n =
numbers of sectors on disk. Anyone with a little bit math intuition can
see this terms will approach 0 quite quick. So it is likely that some
information is revealed. 

This situation will not be cured by switching to dm-crypt, since
dm-crypt suffers from the same kind of problem. Although personally, I
neglect this security threat. 

However, I do recommend that cryptoloop is removed from the kernel || is
declared deprecated for the following reasons:

- There is no suitable user space tool ready to use it. util-linux has
been broken ever since. My patch key-trunc-fix patch has to be applied
to make any use of losetup. Further I'm not going to submit patches to
this project to fix user space problems (see below)

- I'm not going to submit patches to cure the security problems of
cryptoloop pointed out in the first few paragraphs,

- dm-crypt is a stable alternative and can be easily immigrated to with
the help of my little lotracker tool:
http://clemens.endorphin.org/lo-tracker

So much for cryptoloop.

I'd like to point out that in the most cases the key deduction scheme is
more likely the weakest component in a hard disk encryption setup. For
those interested: http://clemens.endorphin.org/TKS1-draft.pdf points to
the problems connect with HD encryption. This paper is the groundwork
for my Linux Unified Key Setup project http://clemens.endorphin.org/LUKS
. Here, you will find patches for cryptsetup (the losetup equivalent to
losetup). I'm working with Christophe Saout to integrate LUKS into
cryptsetup in the near future.

Regards,
-- 
Fruhwirth Clemens <clemens@endorphin.org>  http://clemens.endorphin.org

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] Delete cryptoloop

[Andrew Morton]

Fruhwirth Clemens <clemens@endorphin.org> wrote:
>
> So much for cryptoloop.

I think I'd rather add a patch which does printk("cryptoloop will be
removed from Linux on June 30, 2005.  Please migrate to dm-crypt")

Re: [PATCH] Delete cryptoloop

[Andreas Henriksson]

On Sat, 24 Jul 2004 09:52:45 -0700, Andrew Morton <akpm@osdl.org> wrote:

>
> I think I'd rather add a patch which does printk("cryptoloop will be
> removed from Linux on June 30, 2005.  Please migrate to dm-crypt")

If "helping users" understand that cryptoloop is a band alternative is the  
main reason I think removing it is a bad idea.
If EXPERIMENTAL isn't discuraging enough why not use BROKEN? That way they  
will for sure know that something is wrong but can still upgrade their  
kernel without fearing to not get their data back because they can't get  
this "new thing" (dm-crypt) running.

-- 
Regards,
Andreas Henriksson
andreas at fjortis.info

Re: [PATCH] Delete cryptoloop

[Paul Jackson]

Andrew suggested:
> printk("cryptoloop will be ... June 30, 2005 ...

Andreas asked:
> If EXPERIMENTAL isn't discuraging enough why not use BROKEN? 

Won't printk's will reach a wider proportion of the intended audience
than CONFIG variations?

And the specificity of the date-certain in the printk enables individual
planning and adaptive behaviour that the timelessness of CONFIG labels
can't touch.

Does your printk idea work for devfs as well, Andrew?

-- 
                          I won't rest till it's the best ...
                          Programmer, Linux Scalability
                          Paul Jackson <pj@sgi.com> 1.650.933.1373

Re: [PATCH] Delete cryptoloop

[Bill Davidsen]

Andrew Morton wrote:
> Fruhwirth Clemens <clemens@endorphin.org> wrote:
> 
>>So much for cryptoloop.
> 
> 
> I think I'd rather add a patch which does printk("cryptoloop will be
> removed from Linux on June 30, 2005.  Please migrate to dm-crypt")

A number of things in 2.4 were left alone until 2.6, other than getting 
lots of people to stay with old kernels why do you object to waiting to 
remove this feature in 2.7?

"mount ~/mycrypt" is simple enough for a user to use, dm-crypt is not 
remotely easy to use, not to mention that the tools all need to be added 
  to the install on every machine.

-- 
    -bill davidsen (davidsen@tmr.com)
"The secret to procrastination is to put things off until the
  last possible moment - but no longer"  -me

Re: [PATCH] Delete cryptoloop

[Jari Ruusu]

Fruhwirth Clemens wrote:
> Second, modern ciphers like Twofish || AES are designed to resist
> known-plaintext attacks. This is basically the FUD spread by Jari Rusuu.

Ciphers are good, but both cryptoloop and dm-crypt use ciphers in insecure
and exploitable way.

This is not FUD. Fruhwirth, did you even try run the exploit code?

http://marc.theaimsgroup.com/?l=linux-kernel&m=107719798631935&w=2

> But, due to a recent discussion on sci.crypt, I have been convinced that
> there is in fact a security gain by obscuring the IV. To be precise, if
> an attacker is able to find two identical cipher blocks on disk, he will
> be able to deduce the plain text difference. The chance p that two
> blocks are equal is p=1/2^128 for 128 bit block ciphers. If one of these
> blocks happens to be zero this is quite bad. The chance that there are
> no identical cipher blocks on a disk is given by p^(n(n-1)/2) with n =
> numbers of sectors on disk. Anyone with a little bit math intuition can
> see this terms will approach 0 quite quick. So it is likely that some
> information is revealed.

Exploit exists that generates watermark patterns that can be detected, and
can be detected _very_ reliably.

> This situation will not be cured by switching to dm-crypt, since
> dm-crypt suffers from the same kind of problem. Although personally, I
> neglect this security threat.

Then you should not be writing crypto code.

> - There is no suitable user space tool ready to use it. util-linux has
> been broken ever since. My patch key-trunc-fix patch has to be applied
> to make any use of losetup.

Can you name implementation that your "key-truncated" version is compatible
with that existed _before_ your version appeared?. To my knowledge, that
key-truncated version is only compatible with itself, and there is no other
version that does the same.

-- 
Jari Ruusu  1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9  DB 1D EB E3 24 0E A9 DD

Re: [PATCH] Delete cryptoloop

[Fruhwirth Clemens]

[-- Attachment #1: Type: text/plain, Size: 1969 bytes --]

On Sun, 2004-07-25 at 13:42, Jari Ruusu wrote:
> Fruhwirth Clemens wrote:
> > Second, modern ciphers like Twofish || AES are designed to resist
> > known-plaintext attacks. This is basically the FUD spread by Jari Rusuu.
> 
> Ciphers are good, but both cryptoloop and dm-crypt use ciphers in insecure
> and exploitable way.
> 
> This is not FUD. Fruhwirth, did you even try run the exploit code?
> 
> http://marc.theaimsgroup.com/?l=linux-kernel&m=107719798631935&w=2

There is no use in running your code. It does not decipher any block
without the proper key. Where is the exploit? 

Further the link you provide in the posting above is broken (as you
already noticed). I tried at google cache, citeseer and the rest of
Saarien's homepage. No success. 

If you have any idea where I can obtain the paper, I'd be interested in
seeing the references for your claims.. But guessing from the apparent
logic of your code, it seems to be identical to the weakness brought
forward in the following paragraph of my original posting, which you've
cut out of the quoting.

> > - There is no suitable user space tool ready to use it. util-linux has
> > been broken ever since. My patch key-trunc-fix patch has to be applied
> > to make any use of losetup.
> 
> Can you name implementation that your "key-truncated" version is compatible
> with that existed _before_ your version appeared?. To my knowledge, that
> key-truncated version is only compatible with itself, and there is no other
> version that does the same.

Actually there is a version: util-linux 2.12 official. But
unfortunately, the official version truncates binary keys (at 0x00, 0x0a
values), that's what my patch is for. cryptsetup handles keys the same
way. So migration is easy, something which does not hold true for your
strange util-linux patches. But you already know my critiques..

-- 
Fruhwirth Clemens <clemens@endorphin.org>  http://clemens.endorphin.org

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] Delete cryptoloop

[Marc Ballarin]

Fruhwirth Clemens <clemens-dated-1091625872.c783 <at> endorphin.org> writes: 
 
>  
> On Sun, 2004-07-25 at 13:42, Jari Ruusu wrote: 
> > Fruhwirth Clemens wrote: 
> > > Second, modern ciphers like Twofish || AES are designed to resist 
> > > known-plaintext attacks. This is basically the FUD spread by Jari Rusuu. 
> >  
> > Ciphers are good, but both cryptoloop and dm-crypt use ciphers in insecure 
> > and exploitable way. 
> >  
> > This is not FUD. Fruhwirth, did you even try run the exploit code? 
> >  
> > http://marc.theaimsgroup.com/?l=linux-kernel&m=107719798631935&w=2 
>  
> There is no use in running your code. It does not decipher any block 
> without the proper key. Where is the exploit?  
>  
 
Well, the obvious flaw is that an attacker can detect the presence of a 
watermarked file on an encrypted volume. This is not about decrypting files, 
merely proving their existence. 
 
Wheter this can be called an exploit does not matter. It definitely is a major 
hole. 
 
Marc 
 
 

Re: [PATCH] Delete cryptoloop

[Andreas Jellinghaus]

On Sun, 25 Jul 2004 13:26:29 +0000, Fruhwirth Clemens wrote:
> There is no use in running your code. It does not decipher any block
> without the proper key. Where is the exploit? 

If someone can prove that I have a certain file on my hard
disk, even if it encrypted, that is less security than I expect
from a hard disk encryption. Am I expecting too much?

Regards, Andreas

Re: [PATCH] Delete cryptoloop

[Jari Ruusu]

Fruhwirth Clemens wrote:
> On Sun, 2004-07-25 at 13:42, Jari Ruusu wrote:
> > Fruhwirth Clemens wrote:
> > > Second, modern ciphers like Twofish || AES are designed to resist
> > > known-plaintext attacks. This is basically the FUD spread by Jari Rusuu.
> >
> > Ciphers are good, but both cryptoloop and dm-crypt use ciphers in insecure
> > and exploitable way.
> >
> > This is not FUD. Fruhwirth, did you even try run the exploit code?
> >
> > http://marc.theaimsgroup.com/?l=linux-kernel&m=107719798631935&w=2
> 
> There is no use in running your code. It does not decipher any block
> without the proper key.

So you never ran that. That explains a lot.

> Where is the exploit?

wget -O cryptoloop-exploit.tar.bz2 "http://marc.theaimsgroup.com/?l=linux-kernel&m=107719798631935&q=p3"

> Further the link you provide in the posting above is broken (as you
> already noticed). I tried at google cache, citeseer and the rest of
> Saarien's homepage. No success.

In short: exploit encodes watermark patterns as sequences of identical
ciphertexts.

> > Can you name implementation that your "key-truncated" version is compatible
> > with that existed _before_ your version appeared?. To my knowledge, that
> > key-truncated version is only compatible with itself, and there is no other
> > version that does the same.
> 
> Actually there is a version: util-linux 2.12 official. But
> unfortunately, the official version truncates binary keys (at 0x00, 0x0a
> values), that's what my patch is for. cryptsetup handles keys the same
> way. So migration is easy, something which does not hold true for your
> strange util-linux patches.

Actually loop-AES' util-linux patch can used in mainline util-linux-2.12
compatible mode. Just specify passphrase hash type as unhashed2

But I was talking about your rmd160 compatibity with ancient mount versions
that used 160 bits of hash output + 96 zero bits. Last time I looked at your
compatibility code it used 128 bits of hash and 128 bits of zeroes.

-- 
Jari Ruusu  1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9  DB 1D EB E3 24 0E A9 DD

Re: [PATCH] Delete cryptoloop

[Fruhwirth Clemens]

[-- Attachment #1: Type: text/plain, Size: 2874 bytes --]

On Sun, 2004-07-25 at 19:25, Jari Ruusu wrote:
> Fruhwirth Clemens wrote:
> > On Sun, 2004-07-25 at 13:42, Jari Ruusu wrote:
> > > Fruhwirth Clemens wrote:
> > There is no use in running your code. It does not decipher any block
> > without the proper key.
> 
> So you never ran that. That explains a lot.

Probably just, that I like to save life time.

> > Where is the exploit?
> 
> wget -O cryptoloop-exploit.tar.bz2 "http://marc.theaimsgroup.com/?l=linux-kernel&m=107719798631935&q=p3"

That's no exploit. Where is the exploit?
http://www.google.com/search?q=jargon%20exploit 
When you're there, you can look up the term ``backdoor'' as well. 

> > Further the link you provide in the posting above is broken (as you
> > already noticed). I tried at google cache, citeseer and the rest of
> > Saarien's homepage. No success.
> 
> In short: exploit encodes watermark patterns as sequences of identical
> ciphertexts.

Probably I'm missing the point, but at the moment this looks like a
chosen plain text attack. As you know for sure, this is trivial. For
instance, AES asserts to be secure against this kind of attack. (See the
author's definition of K-secure..).

> > > Can you name implementation that your "key-truncated" version is compatible
> > > with that existed _before_ your version appeared?. To my knowledge, that
> > > key-truncated version is only compatible with itself, and there is no other
> > > version that does the same.
> > 
> > Actually there is a version: util-linux 2.12 official. But
> > unfortunately, the official version truncates binary keys (at 0x00, 0x0a
> > values), that's what my patch is for. cryptsetup handles keys the same
> > way. So migration is easy, something which does not hold true for your
> > strange util-linux patches.
> 
> Actually loop-AES' util-linux patch can used in mainline util-linux-2.12
> compatible mode. Just specify passphrase hash type as unhashed2

The default mode of loop-AES' isn't compatible with anything out there.

> But I was talking about your rmd160 compatibity with ancient mount versions
> that used 160 bits of hash output + 96 zero bits. Last time I looked at your
> compatibility code it used 128 bits of hash and 128 bits of zeroes.

I'm not aware of any ``ancient'' mount versions. util-linux 2.12 is not
designed to be compatible with anything. It's merely a low-level
interface, since the maintainer decided to omit hashing completely. My
patch enables the user to utilize external hash programs like hashalot. 

The compatibility code you're referring to is probably my patch for
hashalot. As you know, this has nothing to do with util-linux. If you're
not happy with hashalot, write your own external hasher, you can do that
thanks to my patch.

-- 
Fruhwirth Clemens <clemens@endorphin.org>  http://clemens.endorphin.org

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] Delete cryptoloop

[Lee Revell]

On Sun, 2004-07-25 at 14:02, Fruhwirth Clemens wrote:
> On Sun, 2004-07-25 at 19:25, Jari Ruusu wrote:
> > > Where is the exploit?
> > 
> > wget -O cryptoloop-exploit.tar.bz2 "http://marc.theaimsgroup.com/?l=linux-kernel&m=107719798631935&q=p3"
> 
> That's no exploit. Where is the exploit?
> http://www.google.com/search?q=jargon%20exploit
> When you're there, you can look up the term ``backdoor'' as well. 
> 

I am confused.  Are you suggesting it's not an exploit because it
doesn't work remotely?  That would make it a local exploit.

Lee  

Re: [PATCH] Delete cryptoloop

[Fruhwirth Clemens]

[-- Attachment #1: Type: text/plain, Size: 970 bytes --]

On Sun, 2004-07-25 at 21:09, Lee Revell wrote:
> On Sun, 2004-07-25 at 14:02, Fruhwirth Clemens wrote:
> > On Sun, 2004-07-25 at 19:25, Jari Ruusu wrote:
> > > > Where is the exploit?
> > > 
> > > wget -O cryptoloop-exploit.tar.bz2 "http://marc.theaimsgroup.com/?l=linux-kernel&m=107719798631935&q=p3"
> > 
> > That's no exploit. Where is the exploit?
> > http://www.google.com/search?q=jargon%20exploit
> > When you're there, you can look up the term ``backdoor'' as well. 
> > 
> 
> I am confused.  Are you suggesting it's not an exploit because it
> doesn't work remotely?  That would make it a local exploit.

I'm suggesting it doesn't work at all. The worst security problems have
been discussed in my first posting already:
http://lkml.org/lkml/2004/7/24/51

I vote for a change in the on-disk format, but not because of one of the
reasons, Jari has put forward.

-- 
Fruhwirth Clemens <clemens@endorphin.org>  http://clemens.endorphin.org

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] Delete cryptoloop

[Marc Ballarin]

Fruhwirth Clemens <clemens-dated-1091642568.f246 <at> endorphin.org> writes:  
  
>   
> That's no exploit. Where is the exploit?  
> http://www.google.com/search?q=jargon%20exploit   
> When you're there, you can look up the term ``backdoor'' as well.   
  
We can, of course, discuss terminology, yet the problem remains the same. 
  
>   
> Probably I'm missing the point, but at the moment this looks like a  
> chosen plain text attack. As you know for sure, this is trivial. For  
> instance, AES asserts to be secure against this kind of attack. (See the  
> author's definition of K-secure..).  
  
It assures against key revovery through chosen plain text attacks. As written 
before, the purpose of this attack is not to break encryption, but to prove 
the existence of a file *known to* and *prepared by* the attacker.  
  
The exploit generates a rather simple bit pattern with a size of 1024 bytes.  
When this pattern - the watermark - is encrypted, dm-crypt's output has some  
special properties - independent of cipher or key size.  
For example, encoding nr. 1, always produces a cyphertext block, where bytes  
0-15 are equal to bytes 512-523.  
  
If you cannot believe this, please try yourself. I did so a few hours ago.  
  
On dm-crypt's mailing list, I have given a description how this can be refined  
easily to improve reliability of detection and determine a file's layout on 
the encrypted volume.  
  
Regards  
  
  
  

Re: [PATCH] Delete cryptoloop

[Fruhwirth Clemens]

[-- Attachment #1: Type: text/plain, Size: 1989 bytes --]

On Sun, 2004-07-25 at 21:44, Marc Ballarin wrote:
> Fruhwirth Clemens <clemens-dated-1091642568.f246 <at> endorphin.org> writes:  
>   
> >   
> > Probably I'm missing the point, but at the moment this looks like a  
> > chosen plain text attack. As you know for sure, this is trivial. For  
> > instance, AES asserts to be secure against this kind of attack. (See the  
> > author's definition of K-secure..).  
>   
> It assures against key revovery through chosen plain text attacks. As written 
> before, the purpose of this attack is not to break encryption, but to prove 
> the existence of a file *known to* and *prepared by* the attacker.  

If an attacker has some means to put a file on the encrypted hard disk,
I'm not considering it a big breakthrough if he can find out the
position of that file. I'm sure this information can be gained by
forensic block access pattern analysis anyway.

> The exploit generates a rather simple bit pattern with a size of 1024 bytes.  
> When this pattern - the watermark - is encrypted, dm-crypt's output has some  
> special properties - independent of cipher or key size.  
> For example, encoding nr. 1, always produces a cyphertext block, where bytes  
> 0-15 are equal to bytes 512-523.  

I'm starting to wonder why this is called an attack. The results of this
``attack'' can't be used in any way. In the worst case, a cipher
text/plain text pair can be obtained. I'm repeating it one more time:
ciphers are designed to resist further attacks steaming from known-plain
text attacks.

Have a look at 
http://clemens.endorphin.org/OnTheProblemsOfCryptoloop . That's an
attack!
  
> On dm-crypt's mailing list, I have given a description how this can be refined  
> easily to improve reliability of detection and determine a file's layout on 
> the encrypted volume.  

I'm sorry, I consider this useless information. 

-- 
Fruhwirth Clemens <clemens@endorphin.org>  http://clemens.endorphin.org

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] Delete cryptoloop

[Jari Ruusu]

Fruhwirth Clemens wrote:
> On Sun, 2004-07-25 at 19:25, Jari Ruusu wrote:
> > In short: exploit encodes watermark patterns as sequences of identical
> > ciphertexts.
> 
> Probably I'm missing the point, but at the moment this looks like a
> chosen plain text attack. As you know for sure, this is trivial. For
> instance, AES asserts to be secure against this kind of attack. (See the
> author's definition of K-secure..).

> I'm suggesting it doesn't work at all.

Fruhwirth, your incompetence has always amazed me. And this time is no
exception. What is conserning is that some mainline folks seem to listening
to your ill opinions. No wonder that both mainline device crypto
implementations are such a joke.

-- 
Jari Ruusu  1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9  DB 1D EB E3 24 0E A9 DD

Re: [PATCH] Delete cryptoloop

[Fruhwirth Clemens]

[-- Attachment #1: Type: text/plain, Size: 1807 bytes --]

On Mon, 2004-07-26 at 12:54, Jari Ruusu wrote:
> Fruhwirth Clemens wrote:
> > On Sun, 2004-07-25 at 19:25, Jari Ruusu wrote:
> > > In short: exploit encodes watermark patterns as sequences of identical
> > > ciphertexts.
> > 
> > Probably I'm missing the point, but at the moment this looks like a
> > chosen plain text attack. As you know for sure, this is trivial. For
> > instance, AES asserts to be secure against this kind of attack. (See the
> > author's definition of K-secure..).
> 
> > I'm suggesting it doesn't work at all.
> 
> Fruhwirth, your incompetence has always amazed me. And this time is no
> exception. What is conserning is that some mainline folks seem to listening
> to your ill opinions. No wonder that both mainline device crypto
> implementations are such a joke.

Please don't resort to personal defamations. 

To summarize for an innocent bystander:

- The attacks you brought forward are in the best case a starting point
for known plain text attacks. Even DES is secure against this attack,
since an attacker would need 2^47 chosen plain texts to break the cipher
via differential cryptanalysis. (Table 12.14 Applied Cryptography,
Schneier). First, the watermark attack can only distinguish 32
watermarks. Second, you'd need a ~2.000.000 GB to store 2^47 chosen
plain texts. Third, I'm talking about DES (designed 1977!), no chance
against AES.

- The weaknesses brought forward by me are summarized  at
http://clemens.endorphin.org/OnTheProblemsOfCryptoloop . Thanks goes to
Pascal Brisset, who pointed out that cryptoloop is actually more secure
than I assumed.

If you, Jari, have any arguments left, it's time to state them now.
Otherwise, have a nice day,
-- 
Fruhwirth Clemens <clemens@endorphin.org>  http://clemens.endorphin.org

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] Delete cryptoloop

[Jari Ruusu]

Fruhwirth Clemens wrote:
> On Mon, 2004-07-26 at 12:54, Jari Ruusu wrote:
> > Fruhwirth Clemens wrote:
> > > On Sun, 2004-07-25 at 19:25, Jari Ruusu wrote:
> > > > In short: exploit encodes watermark patterns as sequences of identical
> > > > ciphertexts.
> > >
> > > Probably I'm missing the point, but at the moment this looks like a
> > > chosen plain text attack. As you know for sure, this is trivial. For
> > > instance, AES asserts to be secure against this kind of attack. (See the
> > > author's definition of K-secure..).
> >
> > > I'm suggesting it doesn't work at all.
> >
> > Fruhwirth, your incompetence has always amazed me. And this time is no
> > exception. What is conserning is that some mainline folks seem to listening
> > to your ill opinions. No wonder that both mainline device crypto
> > implementations are such a joke.
> 
> Please don't resort to personal defamations.
> 
> To summarize for an innocent bystander:
> 
> - The attacks you brought forward are in the best case a starting point
> for known plain text attacks. Even DES is secure against this attack,
> since an attacker would need 2^47 chosen plain texts to break the cipher
> via differential cryptanalysis. (Table 12.14 Applied Cryptography,
> Schneier). First, the watermark attack can only distinguish 32
> watermarks. Second, you'd need a ~2.000.000 GB to store 2^47 chosen
> plain texts. Third, I'm talking about DES (designed 1977!), no chance
> against AES.
> 
> - The weaknesses brought forward by me are summarized  at
> http://clemens.endorphin.org/OnTheProblemsOfCryptoloop . Thanks goes to
> Pascal Brisset, who pointed out that cryptoloop is actually more secure
> than I assumed.
> 
> If you, Jari, have any arguments left, it's time to state them now.

Even more amazed...

Fruhwirth, what you have failed to understand is that the exploit does does
not exploit flaws in any cipher, but cryptoloop's and dm-crypt's insecure
use of those ciphers. Any block cipher that encrypts two identical plaintext
blocks using same key and produces two identical ciphertext blocks will do.
It is all about tricking a cipher to encrypt two identical plaintext blocks,
which, after encryption will show up as two identical ciptext blocks. And
those identical ciphertext blocks can be easily detected and counted.

-- 
Jari Ruusu  1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9  DB 1D EB E3 24 0E A9 DD

Re: [PATCH] Delete cryptoloop

[Fruhwirth Clemens]

[-- Attachment #1: Type: text/plain, Size: 1617 bytes --]

On Mon, 2004-07-26 at 20:11, Jari Ruusu wrote:

> Fruhwirth, what you have failed to understand is that the exploit does does
> not exploit flaws in any cipher, but cryptoloop's and dm-crypt's insecure
> use of those ciphers. Any block cipher that encrypts two identical plaintext
> blocks using same key and produces two identical ciphertext blocks will do.
> It is all about tricking a cipher to encrypt two identical plaintext blocks,
> which, after encryption will show up as two identical ciptext blocks. And
> those identical ciphertext blocks can be easily detected and counted.

Rusuu, you failed to understand that I not only understood your attack,
but also disregard it as minor imperfection (warning: personal opinion).

Reason:
This watermarking evidence can't be used at court, because it does not
reveal the content (at least not in my country!). Even if the
watermarking domain has a bigger cardinality than 32, I doubt the
practical implications.

However, if you haven't understood it already, one more time just for
you: I vote for changing the IV scheme, see my posting from 23.2.2004
[1]. But as you might not know (because you never contributed anything
substantial to the kernel): Kernel developers try to get things right,
and using CryptoAPI for hashing IVs results in some problems if one
wants to avoid reinitializing the context every call: 

http://marc.theaimsgroup.com/?l=linux-kernel&m=107721067317841&w=2

[1] http://marc.theaimsgroup.com/?l=linux-kernel&m=107749648717666&w=2
-- 
Fruhwirth Clemens <clemens@endorphin.org>  http://clemens.endorphin.org

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] Delete cryptoloop

[Matt Mackall]

On Mon, Jul 26, 2004 at 02:45:26PM +0200, Fruhwirth Clemens wrote:
> To summarize for an innocent bystander:
> 
> - The attacks you brought forward are in the best case a starting point
> for known plain text attacks. Even DES is secure against this attack,
> since an attacker would need 2^47 chosen plain texts to break the cipher
> via differential cryptanalysis. (Table 12.14 Applied Cryptography,
> Schneier). First, the watermark attack can only distinguish 32
> watermarks. Second, you'd need a ~2.000.000 GB to store 2^47 chosen
> plain texts. Third, I'm talking about DES (designed 1977!), no chance
> against AES.

Here's a scenario: corrupt government agency secretly watermarks
incriminating documents. Brave whistleblower puts them on his laptop's
cryptoloop fs, but gets taken aside by customs agents on his way out
of the country. Agents check his disk for evidence of the watermark
and find enough evidence to assure that he's never seen again, without
even having to resort to rubber hose techniques.

Yes, the scenario is unlikely and I think it's _way_ overstating it to
call it an exploit. But it's still worth defending against. If we're
going to change disk formats, we should try to address it.

-- 
Mathematics is the supreme nostalgia of our time.

Re: [PATCH] Delete cryptoloop

[Junio C Hamano]

>>>>> "MM" == Matt Mackall <mpm@selenic.com> writes:

MM> Here's a scenario: corrupt government agency secretly watermarks
MM> incriminating documents. Brave whistleblower puts them on his laptop's
MM> cryptoloop fs, but gets taken aside by customs agents on his way out
MM> of the country. Agents check his disk for evidence of the watermark
MM> and find enough evidence...

Jari's exploit uses the property that his watermarks are
encrypted to identical ciphertext blocks, but does it mean that
the technique can be used to prove that identical ciphertext are
from the watermarks and not coming from mere coincidence?

Re: [PATCH] Delete cryptoloop

[Matt Mackall]

On Tue, Jul 27, 2004 at 01:40:47AM -0700, Junio C Hamano wrote:
> >>>>> "MM" == Matt Mackall <mpm@selenic.com> writes:
> 
> MM> Here's a scenario: corrupt government agency secretly watermarks
> MM> incriminating documents. Brave whistleblower puts them on his laptop's
> MM> cryptoloop fs, but gets taken aside by customs agents on his way out
> MM> of the country. Agents check his disk for evidence of the watermark
> MM> and find enough evidence...
> 
> Jari's exploit uses the property that his watermarks are
> encrypted to identical ciphertext blocks, but does it mean that
> the technique can be used to prove that identical ciphertext are
> from the watermarks and not coming from mere coincidence?

Probably. Or maybe just enough evidence to pull out the electrodes or
equivalent.

-- 
Mathematics is the supreme nostalgia of our time.

Re: [PATCH] Delete cryptoloop

[Marc Ballarin]

On Tue, 27 Jul 2004 01:40:47 -0700
Junio C Hamano <junkio@cox.net> wrote:

> 
> Jari's exploit uses the property that his watermarks are
> encrypted to identical ciphertext blocks, but does it mean that
> the technique can be used to prove that identical ciphertext are
> from the watermarks and not coming from mere coincidence?
> 

You can't prove anything by a single found watermark, but you can encode
additional information by placing the watermarks at chosen offsets in your
file.

For example, take prime numbers starting at 2 as offsets, and place the
encodings in a chosen order at those offsets.

The chances for a random occurence of this pattern are marginal, and -
unless the watermarked file becomes strongly fragmented - this pattern is
easy to retrieve.

While this might not be evidence in the legal sense (it could well be, but
IANAL), it is at the very least a strong indication.

Regards

Re: [PATCH] Delete cryptoloop

[Marc Ballarin]

Fruhwirth Clemens <clemens-dated-1091709927.ed82 <at> endorphin.org> writes: 
 
> To summarize for an innocent bystander: 
>  
> - The attacks you brought forward are in the best case a starting point 
> for known plain text attacks. Even DES is secure against this attack, 
> since an attacker would need 2^47 chosen plain texts to break the cipher 
> via differential cryptanalysis. (Table 12.14 Applied Cryptography, 
> Schneier). First, the watermark attack can only distinguish 32 
> watermarks. Second, you'd need a ~2.000.000 GB to store 2^47 chosen 
> plain texts. Third, I'm talking about DES (designed 1977!), no chance 
> against AES. 
>  
 
>From what I understand now, this exploit is solely based on the weakness of 
dm-crypt's/cryptoloops IV generation. 
 
The difference in bit patterns between the first and second half of the 
watermark block compensates partly for the trivially and predictably changing 
IV beetween two successive sectors.  
As Jari eplained, this causes *any* cipher to produce two identical blocks of 
ciphertext (after all the input is identical). 
This is also, why this exploit requires a minimum filesystem block size of 1kB 
for good reliability. 
 
> - The weaknesses brought forward by me are summarized  at 
> http://clemens.endorphin.org/OnTheProblemsOfCryptoloop . Thanks goes to 
> Pascal Brisset, who pointed out that cryptoloop is actually more secure 
> than I assumed. 
>  
 
If my understanding is correct, an improved and unpredictable IV generation - 
- as needed anyway for the vulnerability described at 
http://clemens.endorphin.org/OnTheProblemsOfCryptoloop - 
*should* protect against this watermarking as well. So both problems can be 
fixed together and rather easily. 
 
Regards 
 

Re: [PATCH] Delete cryptoloop

[Bill Davidsen]

Fruhwirth Clemens wrote:

> However, I do recommend that cryptoloop is removed from the kernel || is
> declared deprecated for the following reasons:
> 
> - There is no suitable user space tool ready to use it. util-linux has
> been broken ever since. My patch key-trunc-fix patch has to be applied
> to make any use of losetup. Further I'm not going to submit patches to
> this project to fix user space problems (see below)

Users can mount if you allow it fstab, what tool did you have in mind? 
And AFAIK dm-crypt will not work on a file without workarounds which are 
unknown to mount.
> 
> - I'm not going to submit patches to cure the security problems of
> cryptoloop pointed out in the first few paragraphs,
> 
> - dm-crypt is a stable alternative and can be easily immigrated to with
> the help of my little lotracker tool:
> http://clemens.endorphin.org/lo-tracker

Does it work on files with mount? Until the answer is YES it means that 
it requires new tools being installed and user/admin training. Not all 
Linux systems are used by developers!
> 
> So much for cryptoloop.


-- 
    -bill davidsen (davidsen@tmr.com)
"The secret to procrastination is to put things off until the
  last possible moment - but no longer"  -me

Re: [PATCH] Delete cryptoloop

[Pascal Brisset]

hpa@zytor.com (H. Peter Anvin) wrote in message
news:<2kMAw-rl-15@gated-at.bofh.it>...
> So does cryptoloop use a different IV for different blocks?  The need
> for the IV to be secret is different for different ciphers, but for
> block ciphers the rule is that is must not repeat, and at least
> according to some people must not be trivially predictable. [...]

The IV is predictable in cryptoloop and in other implementations.
This causes specially crafted watermarks to be detectable through
the encryption [1].  Pretty bad, but whether this is really a
concern or not depends a lot on what you are encrypting.

-- Pascal

[1] Markku-Juhani Saarinen: Encrypted Watermarks; Security Vulnerabilities in Laptop Encryption (Security Forum Workshop 2004)

Re: [PATCH] Delete cryptoloop

[Thomas Habets]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So in addition to making sure that everything on your systems works when 
switching from 2.4 to 2.6, we now have to hope that working APIs don't change 
(or disappear) in an incompatible way between minor versions? Is that right? 

Is there some kind of hidden motive behind this? For example, does the 
presence of cryptoloop force some other ugly part of the kernel to be in a 
certain way? If cryptoloop is removed, will you think "finally, I can change 
this other old crappy code"?

I will move to dm-crypt eventually if it's so much better, but cryptoloop 
works in practice *now* (mount knows about it etc..).

James Morris said:
>Part of the reason for dropping cryptoloop is to help dm-crypt mature more 
>quickly.

Reminds me of the futurama quote:
Fry: "Now that you mention it, I do have trouble breathing underwater 
sometimes. I'll take the gills."
Man: "Yes, gills. Then you don't need lungs anymore, is right?"
Fry: "Can't imagine why I would."
Man: "Lie down on table. I take lungs now, gills come next week."

(except that, well, lungs are better in both the short and long run for most 
humans, while dm-crypt may be better in the long run for secret things)

And I can't say I really see what's so horrible about cryptoloop. Dictionary 
attack being possible? Uhm, yeah, I kind of assumed that from the beginning. 
And I don't see how *any* mishandling of IV can matter to me. The block 
crypto (AES in this case) should have been (and I assume is) designed against 
all kinds of chosen-plaintext, chosen-ciphertext, differential cryptanalysis, 
etc... This *will* stop every offline attack from everyone who's interested 
in my data. In the actual real world. (If this assertion is wrong, I'd 
*really* like to know about it. But everything I've read on the insecurity of 
cryptoloop has convinced me that this is the case.[0])

If dm-crypt fixes some things, that's good. Now make it practical. And I'm 
growing old, I fear changes, I need time to adjust. I'm scared, where am I?

Also, being able to boot 2.4 and still have a compatible cryptoloop is nice 
while moving everything to 2.6. (and when everything is 2.6-perfect, one can 
switch to dm-crypt).

Mark it deprecated? Sure, whatever. But don't take away my cryptoloop!

from http://seclists.org/lists/linux-kernel/2004/Mar/0719.html:
>Sequential IV's aren't a good choice with CBC -- they can leak a little
>bit of information about the first block of plaintext, in some cases. 

Ah, this is interesting. The way I'm reading it this could only leak some 
"information" about maybe my superblock.
If this is what cryptoloop uses then it's bad. Still, it's not big-red-switch 
bad, just "try to find the time to switch this year" bad. At least for me.

[0] I'd be interested in both if non-NSA kan read it and if NSA is actually 
interested in my data. If you know of either, tell me. :-)

- ---------
typedef struct me_s {
  char name[]      = { "Thomas Habets" };
  char email[]     = { "thomas@habets.pp.se" };
  char kernel[]    = { "Linux 2.4" };
  char *pgpKey[]   = { "http://www.habets.pp.se/pubkey.txt" };
  char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE  0945 286A E90A AD48 E854" };
  char coolcmd[]   = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBAO+WKGrpCq1I6FQRAn/SAKCyx20hCdEGzY58ZQeocIScDTk73QCeI+gq
ZZn1/PFtwOwldIZ9Xm8ekvY=
=kKqs
-----END PGP SIGNATURE-----

Re: [PATCH] Delete cryptoloop

[Walter Hofmann]

You wrote on linux.kernel:
> dpf-lkml@fountainbay.com wrote:
>>
>> Hopefully someone else will follow up, but I hope I'm somewhat convincing:
>
> Not really ;)
>
> Your points can be simplified to "I don't use cryptoloop, but someone else
> might" and "we shouldn't do this in a stable kernel".
>
> Well, I want to hear from "someone else".  If removing cryptoloop will
> irritate five people, well, sorry.  If it's 5,000 people, well maybe not.

I use cryptoloop and I would be really annoyed if it disappeared in
the stable kernel series. Besides, I read in another mail in this thread 
that dm-crypt will not work with file-based storage (I'm using 
cryptoloop on a file), and that it is new and potentially buggy.

I'm really surprised that people here argue that dm-crypt doesn't get 
enough testing so cryptoloop has to go to force people to test dm-crypt 
with their valuable data. This is all upside-down. First dm-crypt has to 
be stable, safe and feature-complete, then people can convert their data 
to dm-crypt and only then can cryptoloop be deleted.

Walter

Re: [PATCH] Delete cryptoloop

[Kevin Corry]

On Friday 23 July 2004 7:34 am, Walter Hofmann wrote:
> You wrote on linux.kernel:
> > Your points can be simplified to "I don't use cryptoloop, but someone
> > else might" and "we shouldn't do this in a stable kernel".
> >
> > Well, I want to hear from "someone else".  If removing cryptoloop will
> > irritate five people, well, sorry.  If it's 5,000 people, well maybe not.
>
> I use cryptoloop and I would be really annoyed if it disappeared in
> the stable kernel series. Besides, I read in another mail in this thread
> that dm-crypt will not work with file-based storage (I'm using
> cryptoloop on a file), and that it is new and potentially buggy.

Just to clarify this one point...
Device-Mapper (and thus dm-crypt) can only create mappings on block-devices. 
However, in your situation, you could just take a two-step approach of 
creating a loop device on the encrypted file (using losetup), and then using 
dm-crypt on top of this loop device.

-- 
Kevin Corry
kevcorry@us.ibm.com
http://evms.sourceforge.net/

Re: [PATCH] Delete cryptoloop

[Christophe Saout]

[-- Attachment #1: Type: text/plain, Size: 791 bytes --]

Am Fr, den 23.07.2004 um 9:01 Uhr -0500 schrieb Kevin Corry:

> > I use cryptoloop and I would be really annoyed if it disappeared in
> > the stable kernel series. Besides, I read in another mail in this thread
> > that dm-crypt will not work with file-based storage (I'm using
> > cryptoloop on a file), and that it is new and potentially buggy.
> 
> Just to clarify this one point...
> Device-Mapper (and thus dm-crypt) can only create mappings on block-devices. 
> However, in your situation, you could just take a two-step approach of 
> creating a loop device on the encrypted file (using losetup), and then using 
> dm-crypt on top of this loop device.

Yes, just look at the Wiki page on http://www.saout.de/misc/dm-crypt/ ,
people have contributed a lot of scripts.


[-- Attachment #2: Dies ist ein digital signierter Nachrichtenteil --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] Delete cryptoloop

[Bill Davidsen]

Walter Hofmann wrote:
> You wrote on linux.kernel:
> 
>>dpf-lkml@fountainbay.com wrote:
>>
>>>Hopefully someone else will follow up, but I hope I'm somewhat convincing:
>>
>>Not really ;)
>>
>>Your points can be simplified to "I don't use cryptoloop, but someone else
>>might" and "we shouldn't do this in a stable kernel".
>>
>>Well, I want to hear from "someone else".  If removing cryptoloop will
>>irritate five people, well, sorry.  If it's 5,000 people, well maybe not.
> 
> 
> I use cryptoloop and I would be really annoyed if it disappeared in
> the stable kernel series. Besides, I read in another mail in this thread 
> that dm-crypt will not work with file-based storage (I'm using 
> cryptoloop on a file), and that it is new and potentially buggy.
> 
> I'm really surprised that people here argue that dm-crypt doesn't get 
> enough testing so cryptoloop has to go to force people to test dm-crypt 
> with their valuable data. This is all upside-down. First dm-crypt has to 
> be stable, safe and feature-complete, then people can convert their data 
> to dm-crypt and only then can cryptoloop be deleted.

Not to mention working with mount... That would be good if we didn't 
have to train people, change scripts, etc.

-- 
    -bill davidsen (davidsen@tmr.com)
"The secret to procrastination is to put things off until the
  last possible moment - but no longer"  -me

Re: [PATCH] Delete cryptoloop

[mattia]

What ? :)
I use cryptoloop for all my DVD archives and local partitions!
When dm-crypt will be stable, well tested and compatible with cryptoloop
it could make sense to move to it, otherwise not.
Please do not remove cryptoloop from the stable kernel. 

> You wrote on linux.kernel:
> > dpf-lkml@fountainbay.com wrote:
> >>
> >> Hopefully someone else will follow up, but I hope I'm somewhat
convincing:
> >
> > Not really ;)
> >
> > Your points can be simplified to "I don't use cryptoloop, but
someone else
> > might" and "we shouldn't do this in a stable kernel".
> >
> > Well, I want to hear from "someone else".  If removing cryptoloop will
> > irritate five people, well, sorry.  If it's 5,000 people, well maybe
not.
> 
> I use cryptoloop and I would be really annoyed if it disappeared in
> the stable kernel series. Besides, I read in another mail in this thread 
> that dm-crypt will not work with file-based storage (I'm using 
> cryptoloop on a file), and that it is new and potentially buggy.
> 
> I'm really surprised that people here argue that dm-crypt doesn't get 
> enough testing so cryptoloop has to go to force people to test dm-crypt 
> with their valuable data. This is all upside-down. First dm-crypt has to 
> be stable, safe and feature-complete, then people can convert their data 
> to dm-crypt and only then can cryptoloop be deleted.
> 
> Walter
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 
> 

-- 

Re: [PATCH] Delete cryptoloop

[Adam J. Richter]

	It has been a while since I looked, but I vaguely recall
that cryptoloop on a plain file involves one less data copy for
reads than regular loop + dm-crypt.  This may be relevant for
people who want to play their encrypted DVD collection,

Re: [PATCH] Delete cryptoloop

[Markku-Juhani O. Saarinen]

Hi,

  My paper, "Encrypted Watermarks and Linux Laptop Security" which
describes the watermark attack recently discussed in "Delete cryptoloop"
thread was earlier this week accepted to WISA 2004 (Korea, Aug 23-25.).
I previously restricted its distribution due to the anonymous
review process. A current draft version is now available from:

  http://www.tcs.hut.fi/~mjos/doc/wisa2004.pdf

  All comments are welcome (on list or private).

Cheers,
- mjos

Markku-Juhani O. Saarinen <mjos@tcs.hut.fi> Helsinki University of Technology