[Qemu-devel] [PATCH v9 03/20] qcow: document another weakness of qcow AES encryption

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: qemu-block@nongnu.org, Eric Blake <eblake@redhat.com>,
	Max Reitz <mreitz@redhat.com>, Kevin Wolf <kwolf@redhat.com>,
	Alberto Garcia <berto@igalia.com>,
	"Daniel P. Berrange" <berrange@redhat.com>
Subject: [Qemu-devel] [PATCH v9 03/20] qcow: document another weakness of qcow AES encryption
Date: Mon, 19 Jun 2017 18:34:38 +0100	[thread overview]
Message-ID: <20170619173455.18805-4-berrange@redhat.com> (raw)
In-Reply-To: <20170619173455.18805-1-berrange@redhat.com>

Document that use of guest virtual sector numbers as the basis for
the initialization vectors is a potential weakness, when combined
with internal snapshots or multiple images using the same passphrase.
This fixes the formatting of the itemized list too.

Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
 qemu-img.texi | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/qemu-img.texi b/qemu-img.texi
index 5b925ec..f335139 100644
--- a/qemu-img.texi
+++ b/qemu-img.texi
@@ -567,16 +567,29 @@ The use of encryption in qcow and qcow2 images is considered to be flawed by
 modern cryptography standards, suffering from a number of design problems:
 
 @itemize @minus
-@item The AES-CBC cipher is used with predictable initialization vectors based
+@item
+The AES-CBC cipher is used with predictable initialization vectors based
 on the sector number. This makes it vulnerable to chosen plaintext attacks
 which can reveal the existence of encrypted data.
-@item The user passphrase is directly used as the encryption key. A poorly
+@item
+The user passphrase is directly used as the encryption key. A poorly
 chosen or short passphrase will compromise the security of the encryption.
-@item In the event of the passphrase being compromised there is no way to
+@item
+In the event of the passphrase being compromised there is no way to
 change the passphrase to protect data in any qcow images. The files must
 be cloned, using a different encryption passphrase in the new file. The
 original file must then be securely erased using a program like shred,
 though even this is ineffective with many modern storage technologies.
+@item
+Initialization vectors used to encrypt sectors are based on the
+guest virtual sector number, instead of the host physical sector. When
+a disk image has multiple internal snapshots this means that data in
+multiple physical sectors is encrypted with the same initialization
+vector. With the CBC mode, this opens the possibility of watermarking
+attacks if the attack can collect multiple sectors encrypted with the
+same IV and some predictable data. Having multiple qcow2 images with
+the same passphrase also exposes this weakness since the passphrase
+is directly used as the key.
 @end itemize
 
 Use of qcow / qcow2 encryption is thus strongly discouraged. Users are
-- 
2.9.3

next prev parent reply	other threads:[~2017-06-19 17:35 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-19 17:34 [Qemu-devel] [PATCH v9 00/20] Convert QCow[2] to QCryptoBlock & add LUKS support Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 01/20] block: expose crypto option names / defs to other drivers Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 02/20] block: add ability to set a prefix for opt names Daniel P. Berrange
2017-06-19 17:34 ` Daniel P. Berrange [this message]
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 04/20] qcow: require image size to be > 1 for new images Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 05/20] iotests: skip 042 with qcow which dosn't support zero sized images Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 06/20] iotests: skip 048 with qcow which doesn't support resize Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 07/20] block: deprecate "encryption=on" in favor of "encrypt.format=aes" Daniel P. Berrange
2017-06-20 11:44   ` Alberto Garcia
2017-06-20 12:02     ` Daniel P. Berrange
2017-06-20 14:07       ` Alberto Garcia
2017-06-23 10:08         ` Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 08/20] qcow: make encrypt_sectors encrypt in place Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 09/20] qcow: convert QCow to use QCryptoBlock for encryption Daniel P. Berrange
2017-06-21 14:29   ` Max Reitz
2017-06-23 10:06     ` Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 10/20] qcow2: make qcow2_encrypt_sectors encrypt in place Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 11/20] qcow2: convert QCow2 to use QCryptoBlock for encryption Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 12/20] qcow2: extend specification to cover LUKS encryption Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 13/20] qcow2: add support for LUKS encryption format Daniel P. Berrange
2017-06-21 14:42   ` Max Reitz
2017-06-21 14:46     ` Max Reitz
2017-06-21 14:59       ` Max Reitz
2017-06-23 10:06         ` Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 14/20] qcow2: add iotests to cover LUKS encryption support Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 15/20] iotests: enable tests 134 and 158 to work with qcow (v1) Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 16/20] block: rip out all traces of password prompting Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 17/20] block: remove all encryption handling APIs Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 18/20] block: pass option prefix down to crypto layer Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 19/20] qcow2: report encryption specific image information Daniel P. Berrange
2017-06-19 17:34 ` [Qemu-devel] [PATCH v9 20/20] docs: document encryption options for qcow, qcow2 and luks Daniel P. Berrange

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5b925ec dfblob:f335139 )
 OR (
bs:"[Qemu-devel] [PATCH v9 03/20] qcow: document another weakness of qcow AES encryption" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170619173455.18805-4-berrange@redhat.com \
    --to=berrange@redhat.com \
    --cc=berto@igalia.com \
    --cc=eblake@redhat.com \
    --cc=kwolf@redhat.com \
    --cc=mreitz@redhat.com \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).