From: Paolo Bonzini <pbonzini@redhat.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: "Kevin Wolf" <kwolf@redhat.com>,
"Benoît Canet" <benoit.canet@irqsave.net>,
qemu-devel@nongnu.org, stefanha@redhat.com,
"Stefan Hajnoczi" <stefanha@gmail.com>
Subject: Re: [Qemu-devel] QCOW2 cryptography and secure key handling
Date: Wed, 24 Jul 2013 17:30:22 +0200 [thread overview]
Message-ID: <51EFF30E.9060102@redhat.com> (raw)
In-Reply-To: <20130723155741.GI2477@redhat.com>
Il 23/07/2013 17:57, Daniel P. Berrange ha scritto:
> On Tue, Jul 23, 2013 at 05:38:00PM +0200, Kevin Wolf wrote:
>> Am 23.07.2013 um 17:22 hat Stefan Hajnoczi geschrieben:
>>> On Tue, Jul 23, 2013 at 04:40:34PM +0200, Benoît Canet wrote:
>>>>> More generally, QCow2's current encryption support is woefully inadequate
>>>>> from a design POV. If we wanted better encryption built-in to QEMU it is
>>>>> best to just deprecate the current encryption support and define a new
>>>>> qcow2 extension based around something like the LUKS data format. Using
>>>>> the LUKS data format precisely would be good from a data portability
>>>>> POV, since then you can easily switch your images between LUKS encrypted
>>>>> block device & qcow2-with-luks image file, without needing to re-encrypt
>>>>> the data.
>>>>
>>>> I read the LUKS specification and undestood enough part of it to understand the
>>>> potentials benefits (stronger encryption key, multiple user keys, possibility to
>>>> change users keys).
>>>>
>>>> Kevin & Stefan: What do you think about implementing LUKS in QCOW2 ?
>>>
>>> Using standard or proven approachs in crypto is a good thing.
>>
>> I think the question is how much of a standard approach you take and
>> what sense it makes in the context where it's used. The actual
>> encryption algorithm is standard, as far as I can tell, but some people
>> have repeatedly been arguing that it still results in bad crypto. Are
>> they right? I don't know, I know too little of this stuff.
>
> One reason that QCow2 is bad, despite using a standard algorithm, is
> that the user passphrase is directly used encrypt/decrypt the data.
> Thus a weak passphrase leads to weak data encryption. With the LUKS
> format, the passphrase is only used to unlock the master key, which
> is cryptographically strong. LUKS applies multiple rounds of hashing
> to the user passphrase based on the speed of the machine CPUs, to
> make it less practical to brute force weak user passphrases and thus
> recover the master key.
Another reason that QCow2 is bad is that disk encryption is Complicated.
Even if you do not do any horrible mistakes such as using ECB
encryption, a disk encrypted sector-by-sector has a lot of small
separate cyphertexts in it and is susceptible to a special range of attacks.
For example, current qcow2 encryption is vulnerable to a watermarking
attack.
http://en.wikipedia.org/wiki/Disk_encryption_theory#Cipher-block_chaining_.28CBC.29
dm-crypt or other disk encryption programs use more complicated schemes,
do we need to go there?
Paolo
next prev parent reply other threads:[~2013-07-24 15:30 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-23 12:47 [Qemu-devel] QCOW2 cryptography and secure key handling Benoît Canet
2013-07-23 13:00 ` Daniel P. Berrange
2013-07-23 13:21 ` Benoît Canet
2013-07-23 14:40 ` Benoît Canet
2013-07-23 15:22 ` Stefan Hajnoczi
2013-07-23 15:38 ` Kevin Wolf
2013-07-23 15:57 ` Daniel P. Berrange
2013-07-24 13:07 ` Benoît Canet
2013-07-24 15:30 ` Paolo Bonzini [this message]
2013-07-24 15:33 ` Daniel P. Berrange
2013-07-24 15:40 ` Paolo Bonzini
2013-07-24 15:46 ` Daniel P. Berrange
2013-07-29 11:21 ` Markus Armbruster
2013-07-29 11:25 ` Kevin Wolf
2013-07-29 11:32 ` Daniel P. Berrange
2013-07-29 16:07 ` Benoît Canet
2013-07-31 15:33 ` Benoît Canet
2013-07-31 15:27 ` Benoît Canet
2013-07-31 17:52 ` Laszlo Ersek
2013-07-31 18:31 ` Laszlo Ersek
2013-07-23 15:40 ` Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51EFF30E.9060102@redhat.com \
--to=pbonzini@redhat.com \
--cc=benoit.canet@irqsave.net \
--cc=berrange@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).