From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: qemu-block@nongnu.org, Kevin Wolf <kwolf@redhat.com>,
Max Reitz <mreitz@redhat.com>,
"Daniel P. Berrange" <berrange@redhat.com>
Subject: [Qemu-devel] [PATCH v2 03/17] qcow: document another weakness of qcow AES encryption
Date: Tue, 24 Jan 2017 14:51:38 +0000 [thread overview]
Message-ID: <20170124145152.22980-4-berrange@redhat.com> (raw)
In-Reply-To: <20170124145152.22980-1-berrange@redhat.com>
Document that use of guest virtual sector numbers as the basis for
the initialization vectors is a potential weakness, when combined
with internal snapshots or multiple images using the same passphrase.
This fixes the formatting of the itemized list too.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
qemu-img.texi | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/qemu-img.texi b/qemu-img.texi
index 174aae3..db4534b 100644
--- a/qemu-img.texi
+++ b/qemu-img.texi
@@ -544,16 +544,29 @@ The use of encryption in qcow and qcow2 images is considered to be flawed by
modern cryptography standards, suffering from a number of design problems:
@itemize @minus
-@item The AES-CBC cipher is used with predictable initialization vectors based
+@item
+The AES-CBC cipher is used with predictable initialization vectors based
on the sector number. This makes it vulnerable to chosen plaintext attacks
which can reveal the existence of encrypted data.
-@item The user passphrase is directly used as the encryption key. A poorly
+@item
+The user passphrase is directly used as the encryption key. A poorly
chosen or short passphrase will compromise the security of the encryption.
-@item In the event of the passphrase being compromised there is no way to
+@item
+In the event of the passphrase being compromised there is no way to
change the passphrase to protect data in any qcow images. The files must
be cloned, using a different encryption passphrase in the new file. The
original file must then be securely erased using a program like shred,
though even this is ineffective with many modern storage technologies.
+@item
+Initialization vectors used to encrypt sectors are based on the
+guest virtual sector number, instead of the host physical sector. When
+a disk image has multiple internal snapshots this means that data in
+multiple physical sectors is encrypted with the same initialization
+vector. With the CBC mode, this opens the possibility of watermarking
+attacks if the attack can collect multiple sectors encrypted with the
+same IV and some predictable data. Having multiple qcow2 images with
+the same passphrase also exposes this weakness since the passphrase
+is directly used as the key.
@end itemize
Use of qcow / qcow2 encryption is thus strongly discouraged. Users are
--
2.9.3
next prev parent reply other threads:[~2017-01-24 14:52 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-24 14:51 [Qemu-devel] [PATCH v2 00/17] Convert QCow[2] to QCryptoBlock & add LUKS support Daniel P. Berrange
2017-01-24 14:51 ` [Qemu-devel] [PATCH v2 01/17] block: expose crypto option names / defs to other drivers Daniel P. Berrange
2017-01-24 14:51 ` [Qemu-devel] [PATCH v2 02/17] block: add ability to set a prefix for opt names Daniel P. Berrange
2017-01-24 14:51 ` Daniel P. Berrange [this message]
2017-01-24 14:51 ` [Qemu-devel] [PATCH v2 04/17] qcow: require image size to be > 1 for new images Daniel P. Berrange
2017-01-24 14:51 ` [Qemu-devel] [PATCH v2 05/17] iotests: skip 042 with qcow which dosn't support zero sized images Daniel P. Berrange
2017-01-24 14:51 ` [Qemu-devel] [PATCH v2 06/17] iotests: skip 048 with qcow which doesn't support resize Daniel P. Berrange
2017-01-24 14:51 ` [Qemu-devel] [PATCH v2 07/17] iotests: fix 097 when run with qcow Daniel P. Berrange
2017-01-24 14:51 ` [Qemu-devel] [PATCH v2 08/17] qcow: make encrypt_sectors encrypt in place Daniel P. Berrange
2017-01-24 14:51 ` [Qemu-devel] [PATCH v2 09/17] qcow: convert QCow to use QCryptoBlock for encryption Daniel P. Berrange
2017-01-24 14:51 ` [Qemu-devel] [PATCH v2 10/17] qcow2: make qcow2_encrypt_sectors encrypt in place Daniel P. Berrange
2017-01-24 14:51 ` [Qemu-devel] [PATCH v2 11/17] qcow2: convert QCow2 to use QCryptoBlock for encryption Daniel P. Berrange
2017-01-24 14:51 ` [Qemu-devel] [PATCH v2 12/17] qcow2: extend specification to cover LUKS encryption Daniel P. Berrange
2017-01-24 14:51 ` [Qemu-devel] [PATCH v2 13/17] qcow2: add support for LUKS encryption format Daniel P. Berrange
2017-01-24 14:51 ` [Qemu-devel] [PATCH v2 14/17] qcow2: add iotests to cover LUKS encryption support Daniel P. Berrange
2017-01-24 14:51 ` [Qemu-devel] [PATCH v2 15/17] iotests: enable tests 134 and 158 to work with qcow (v1) Daniel P. Berrange
2017-01-24 14:51 ` [Qemu-devel] [PATCH v2 16/17] block: rip out all traces of password prompting Daniel P. Berrange
2017-01-24 14:51 ` [Qemu-devel] [PATCH v2 17/17] block: remove all encryption handling APIs Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170124145152.22980-4-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).