Re: [Qemu-devel] QCOW2 cryptography and secure key handling

[Paolo Bonzini <pbonzini@redhat.com>]

Il 24/07/2013 17:33, Daniel P. Berrange ha scritto:
>>> One reason that QCow2 is bad, despite using a standard algorithm, is
>>> that the user passphrase is directly used encrypt/decrypt the data.
>>> Thus a weak passphrase leads to weak data encryption. With the LUKS
>>> format, the passphrase is only used to unlock the master key, which
>>> is cryptographically strong. LUKS applies multiple rounds of hashing
>>> to the user passphrase based on the speed of the machine CPUs, to
>>> make it less practical to brute force weak user passphrases and thus
>>> recover the master key.
>>
>> Another reason that QCow2 is bad is that disk encryption is Complicated.
>>  Even if you do not do any horrible mistakes such as using ECB
>> encryption, a disk encrypted sector-by-sector has a lot of small
>> separate cyphertexts in it and is susceptible to a special range of attacks.
>>
>> For example, current qcow2 encryption is vulnerable to a watermarking
>> attack.
>> http://en.wikipedia.org/wiki/Disk_encryption_theory#Cipher-block_chaining_.28CBC.29
>>
>> dm-crypt or other disk encryption programs use more complicated schemes,
>> do we need to go there?
> 
> Yep, that is another particularly good reason to deprecate qcow2's
> existing aes encryption and adopt an existing format that has got
> a proven good design like LUKS.

Note that this is independent of LUKS vs. anything else.  LUKS only
provides the key, you then have to implement encryption yourself.  And
full implementation of all the cyphers and modes that LUKS supports
would be a lot of work.

In fact, LUKS supports a cypher mode as weak as the current qcow2 mode
("cbc-plain") and it even supports ECB.  And dually, adding a more
robust cypher mode to the current qcow2 encryption would be trivial and
would protect against the watermarking attack (it would not fix the
problems with keys, of course, so I'm not suggesting to do it).

Paolo