Re: [Qemu-devel] [PATCH] Describe flaws in qcow/qcow2 encryption in the docs

[Eric Blake <eblake@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 2591 bytes --]

On 01/22/2014 04:36 AM, Daniel P. Berrange wrote:
> The qemu-img.texi / qemu-doc.texi files currently describe the
> qcow2/qcow2 encryption thus
> 
>   "Encryption uses the AES format which is very secure (128 bit
>    keys). Use a long password (16 characters) to get maximum
>    protection."
> 
> While AES is indeed a strong encryption system, the way that
> QCow/QCow2 use it results in a poor/weak encryption system.
> Due to the use of predictable IVs it is vulnerable to chosen
> plaintext attacks which can reveal the existance of encrypted

s/existance/existence/

> data.
> 
> The direct use of the user passphrase as the encryption key
> also leads to an inability to change the passphrase of an
> image. If passphrase is ever compromised the image data will
> all be vulnerable, since it cannot be re-encrypted. The admin
> has to clone the image files with a new passphrase and then
> use a program like shred to secure erase all the old files.
> 
> Recommend against any use of QCow/QCow2 encryption, directing
> users to dm-crypt / LUKS which can meet modern cryptography
> best practices.
> 
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
>  qemu-doc.texi | 23 ++++++++++++++++++++---
>  qemu-img.texi | 23 ++++++++++++++++++++---
>  2 files changed, 40 insertions(+), 6 deletions(-)
> 

> +
> +The use of encryption in QCow and QCow2 images is considered to flawed by modern
> +cryptography standards, suffering from a number of design problems

s/$/:/

> +
> +@itemize @minus
> +@item The AES-CBC cipher is used with predictable initialization vectors based
> +on the sector number. This makes it vulnerable to chosen plaintext attacks
> +which can reveal the existence of encrypted data.
> +@item The user passphrase is directly used as the encryption key. A poorly
> +choosen / short passphrase will compromise the security of the encryption.

s/choosen/chosen/

> +In the event of the passphrase being compromised there is no way to change

Maybe s/^/@item / ?  After all, the need to clone/shred after compromise
is there whether the passphrase was poorly chosen or maximally chosen,
it's just that poorly chosen is more likely to be easily compromised.

> +++ b/qemu-img.texi

> +@item The user passphrase is directly used as the encryption key. A poorly
> +choosen / short passphrase will compromise the security of the encryption.

Copy and paste the fixes above here, too.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]