From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55785)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <benoit.canet@irqsave.net>) id 1V4ZaT-0004bl-Fz
	for qemu-devel@nongnu.org; Wed, 31 Jul 2013 12:49:26 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <benoit.canet@irqsave.net>) id 1V4Yd0-00073G-0Y
	for qemu-devel@nongnu.org; Wed, 31 Jul 2013 11:47:58 -0400
Received: from nodalink.pck.nerim.net ([62.212.105.220]:51854
	helo=paradis.irqsave.net) by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <benoit.canet@irqsave.net>) id 1V4YHM-0001pO-N8
	for qemu-devel@nongnu.org; Wed, 31 Jul 2013 11:25:32 -0400
Date: Wed, 31 Jul 2013 17:27:14 +0200
From: =?iso-8859-1?Q?Beno=EEt?= Canet <benoit.canet@irqsave.net>
Message-ID: <20130731152714.GC4926@irqsave.net>
References: <20130723124706.GB5002@irqsave.net>
	<20130723130053.GW2477@redhat.com>
	<20130723144033.GE5002@irqsave.net>
	<20130723152247.GC14190@stefanha-thinkpad.redhat.com>
	<20130723153800.GD20225@dhcp-200-207.str.redhat.com>
	<20130723155741.GI2477@redhat.com> <51EFF30E.9060102@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <51EFF30E.9060102@redhat.com>
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] QCOW2 cryptography and secure key handling
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>, =?iso-8859-1?Q?Beno=EEt?= Canet <benoit.canet@irqsave.net>, Stefan Hajnoczi <stefanha@gmail.com>, qemu-devel@nongnu.org, stefanha@redhat.com

> For example, current qcow2 encryption is vulnerable to a watermarking
> attack.
> http://en.wikipedia.org/wiki/Disk_encryption_theory#Cipher-block_chaini=
ng_.28CBC.29

void qcow2_encrypt_sectors(BDRVQcowState *s, int64_t sector_num,
                           uint8_t *out_buf, const uint8_t *in_buf,
                           int nb_sectors, int enc,
                           const AES_KEY *key)
{
    union {
        uint64_t ll[2];
        uint8_t b[16];
    } ivec;
    int i;

    for(i =3D 0; i < nb_sectors; i++) {
        ivec.ll[0] =3D cpu_to_le64(sector_num);
        ivec.ll[1] =3D 0;
        AES_cbc_encrypt(in_buf, out_buf, 512, key,
                        ivec.b, enc);
        sector_num++;
        in_buf +=3D 512;
        out_buf +=3D 512;
    }
}

CBC mode would imply that each sector would be crypted by combining the
plaintext with the previous sector.
It's does not look to be the case as the IV is reset to sector_num for ea=
ch
sector.
It look like CTR mode.

Best regards

Beno=EEt

>
> dm-crypt or other disk encryption programs use more complicated schemes=
,
> do we need to go there?
>
> Paolo