[Qemu-devel] [PATCH v5 03/18] qcow: document another weakness of qcow AES encryption

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: qemu-block@nongnu.org, Max Reitz <mreitz@redhat.com>,
	Kevin Wolf <kwolf@redhat.com>, Alberto Garcia <berto@igalia.com>,
	Eric Blake <eblake@redhat.com>,
	"Daniel P. Berrange" <berrange@redhat.com>
Subject: [Qemu-devel] [PATCH v5 03/18] qcow: document another weakness of qcow AES encryption
Date: Tue, 21 Feb 2017 11:54:57 +0000	[thread overview]
Message-ID: <20170221115512.21918-4-berrange@redhat.com> (raw)
In-Reply-To: <20170221115512.21918-1-berrange@redhat.com>

Document that use of guest virtual sector numbers as the basis for
the initialization vectors is a potential weakness, when combined
with internal snapshots or multiple images using the same passphrase.
This fixes the formatting of the itemized list too.

Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
 qemu-img.texi | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/qemu-img.texi b/qemu-img.texi
index 174aae3..db4534b 100644
--- a/qemu-img.texi
+++ b/qemu-img.texi
@@ -544,16 +544,29 @@ The use of encryption in qcow and qcow2 images is considered to be flawed by
 modern cryptography standards, suffering from a number of design problems:
 
 @itemize @minus
-@item The AES-CBC cipher is used with predictable initialization vectors based
+@item
+The AES-CBC cipher is used with predictable initialization vectors based
 on the sector number. This makes it vulnerable to chosen plaintext attacks
 which can reveal the existence of encrypted data.
-@item The user passphrase is directly used as the encryption key. A poorly
+@item
+The user passphrase is directly used as the encryption key. A poorly
 chosen or short passphrase will compromise the security of the encryption.
-@item In the event of the passphrase being compromised there is no way to
+@item
+In the event of the passphrase being compromised there is no way to
 change the passphrase to protect data in any qcow images. The files must
 be cloned, using a different encryption passphrase in the new file. The
 original file must then be securely erased using a program like shred,
 though even this is ineffective with many modern storage technologies.
+@item
+Initialization vectors used to encrypt sectors are based on the
+guest virtual sector number, instead of the host physical sector. When
+a disk image has multiple internal snapshots this means that data in
+multiple physical sectors is encrypted with the same initialization
+vector. With the CBC mode, this opens the possibility of watermarking
+attacks if the attack can collect multiple sectors encrypted with the
+same IV and some predictable data. Having multiple qcow2 images with
+the same passphrase also exposes this weakness since the passphrase
+is directly used as the key.
 @end itemize
 
 Use of qcow / qcow2 encryption is thus strongly discouraged. Users are
-- 
2.9.3

next prev parent reply	other threads:[~2017-02-21 11:55 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-02-21 11:54 [Qemu-devel] [PATCH v5 00/18] Convert QCow[2] to QCryptoBlock & add LUKS support Daniel P. Berrange
2017-02-21 11:54 ` [Qemu-devel] [PATCH v5 01/18] block: expose crypto option names / defs to other drivers Daniel P. Berrange
2017-02-21 11:54 ` [Qemu-devel] [PATCH v5 02/18] block: add ability to set a prefix for opt names Daniel P. Berrange
2017-02-22 15:18   ` Kevin Wolf
2017-02-22 15:49     ` Daniel P. Berrange
2017-02-22 18:28       ` Eric Blake
2017-02-23 10:28         ` Kevin Wolf
2017-02-23 10:37           ` Daniel P. Berrange
2017-02-21 11:54 ` Daniel P. Berrange [this message]
2017-02-21 11:54 ` [Qemu-devel] [PATCH v5 04/18] qcow: require image size to be > 1 for new images Daniel P. Berrange
2017-02-21 11:54 ` [Qemu-devel] [PATCH v5 05/18] iotests: skip 042 with qcow which dosn't support zero sized images Daniel P. Berrange
2017-02-21 11:55 ` [Qemu-devel] [PATCH v5 06/18] iotests: skip 048 with qcow which doesn't support resize Daniel P. Berrange
2017-02-21 11:55 ` [Qemu-devel] [PATCH v5 07/18] iotests: fix 097 when run with qcow Daniel P. Berrange
2017-02-22 23:46   ` Eric Blake
2017-03-07 15:44     ` Eric Blake
2017-03-07 15:45       ` Daniel P. Berrange
2017-02-21 11:55 ` [Qemu-devel] [PATCH v5 08/18] qcow: make encrypt_sectors encrypt in place Daniel P. Berrange
2017-02-23 12:38   ` Kevin Wolf
2017-02-21 11:55 ` [Qemu-devel] [PATCH v5 09/18] qcow: convert QCow to use QCryptoBlock for encryption Daniel P. Berrange
2017-02-21 13:19   ` Alberto Garcia
2017-04-24 16:38     ` Daniel P. Berrange
2017-02-21 11:55 ` [Qemu-devel] [PATCH v5 10/18] qcow2: make qcow2_encrypt_sectors encrypt in place Daniel P. Berrange
2017-02-21 11:55 ` [Qemu-devel] [PATCH v5 11/18] qcow2: convert QCow2 to use QCryptoBlock for encryption Daniel P. Berrange
2017-02-21 13:30   ` Alberto Garcia
2017-04-24 16:50     ` Daniel P. Berrange
2017-02-21 11:55 ` [Qemu-devel] [PATCH v5 12/18] qcow2: extend specification to cover LUKS encryption Daniel P. Berrange
2017-02-21 13:33   ` Alberto Garcia
2017-02-21 11:55 ` [Qemu-devel] [PATCH v5 13/18] qcow2: add support for LUKS encryption format Daniel P. Berrange
2017-02-21 14:13   ` Alberto Garcia
2017-04-24 16:52     ` Daniel P. Berrange
2017-02-21 11:55 ` [Qemu-devel] [PATCH v5 14/18] qcow2: add iotests to cover LUKS encryption support Daniel P. Berrange
2017-02-21 11:55 ` [Qemu-devel] [PATCH v5 15/18] iotests: enable tests 134 and 158 to work with qcow (v1) Daniel P. Berrange
2017-02-21 11:55 ` [Qemu-devel] [PATCH v5 16/18] block: rip out all traces of password prompting Daniel P. Berrange
2017-02-21 14:20   ` Alberto Garcia
2017-02-21 11:55 ` [Qemu-devel] [PATCH v5 17/18] block: remove all encryption handling APIs Daniel P. Berrange
2017-02-21 14:28   ` Alberto Garcia
2017-02-21 11:55 ` [Qemu-devel] [PATCH v5 18/18] block: pass option prefix down to crypto layer Daniel P. Berrange
2017-02-21 15:01   ` Alberto Garcia

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:174aae3 dfblob:db4534b )
 OR (
bs:"[Qemu-devel] [PATCH v5 03/18] qcow: document another weakness of qcow AES encryption" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170221115512.21918-4-berrange@redhat.com \
    --to=berrange@redhat.com \
    --cc=berto@igalia.com \
    --cc=eblake@redhat.com \
    --cc=kwolf@redhat.com \
    --cc=mreitz@redhat.com \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).