[Qemu-devel] [PATCH] Describe flaws in qcow/qcow2 encryption in the docs

[Qemu-devel] [PATCH] Describe flaws in qcow/qcow2 encryption in the docs

[Daniel P. Berrange]

The qemu-img.texi / qemu-doc.texi files currently describe the
qcow2/qcow2 encryption thus

  "Encryption uses the AES format which is very secure (128 bit
   keys). Use a long password (16 characters) to get maximum
   protection."

While AES is indeed a strong encryption system, the way that
QCow/QCow2 use it results in a poor/weak encryption system.
Due to the use of predictable IVs it is vulnerable to chosen
plaintext attacks which can reveal the existance of encrypted
data.

The direct use of the user passphrase as the encryption key
also leads to an inability to change the passphrase of an
image. If passphrase is ever compromised the image data will
all be vulnerable, since it cannot be re-encrypted. The admin
has to clone the image files with a new passphrase and then
use a program like shred to secure erase all the old files.

Recommend against any use of QCow/QCow2 encryption, directing
users to dm-crypt / LUKS which can meet modern cryptography
best practices.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
 qemu-doc.texi | 23 ++++++++++++++++++++---
 qemu-img.texi | 23 ++++++++++++++++++++---
 2 files changed, 40 insertions(+), 6 deletions(-)

BTW, I based this patch on info from this previous thread:

  https://lists.gnu.org/archive/html/qemu-devel/2013-07/msg04225.html

If anyone knows of further flaws in qcow2 encryption that we
should describe, I'll update the docs further.

diff --git a/qemu-doc.texi b/qemu-doc.texi
index 4e9c6e9..c9da6ad 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -547,10 +547,27 @@ File name of a base image (see @option{create} subcommand)
 @item backing_fmt
 Image format of the base image
 @item encryption
-If this option is set to @code{on}, the image is encrypted.
+If this option is set to @code{on}, the image is encrypted with 128-bit AES-CBC.
+
+The use of encryption in QCow and QCow2 images is considered to flawed by modern
+cryptography standards, suffering from a number of design problems
+
+@itemize @minus
+@item The AES-CBC cipher is used with predictable initialization vectors based
+on the sector number. This makes it vulnerable to chosen plaintext attacks
+which can reveal the existence of encrypted data.
+@item The user passphrase is directly used as the encryption key. A poorly
+choosen / short passphrase will compromise the security of the encryption.
+In the event of the passphrase being compromised there is no way to change
+the passphrase to protect data in any QCow images. The files must be cloned,
+using a different encryption passphrase in the new file. The original file
+must then be securely erased using a program like shred, though even this
+is ineffective with many modern storage technologies.
+@end itemize
 
-Encryption uses the AES format which is very secure (128 bit keys). Use
-a long password (16 characters) to get maximum protection.
+Use of QCow / QCow2 encryption is thus strongly discouraged. Users are
+recommended to use an alternative encryption technology such as the
+Linux dm-crypt / LUKS system.
 
 @item cluster_size
 Changes the qcow2 cluster size (must be between 512 and 2M). Smaller cluster
diff --git a/qemu-img.texi b/qemu-img.texi
index 1bba91e..2192eb9 100644
--- a/qemu-img.texi
+++ b/qemu-img.texi
@@ -402,10 +402,27 @@ File name of a base image (see @option{create} subcommand)
 @item backing_fmt
 Image format of the base image
 @item encryption
-If this option is set to @code{on}, the image is encrypted.
+If this option is set to @code{on}, the image is encrypted with 128-bit AES-CBC.
 
-Encryption uses the AES format which is very secure (128 bit keys). Use
-a long password (16 characters) to get maximum protection.
+The use of encryption in QCow and QCow2 images is considered to flawed by modern
+cryptography standards, suffering from a number of design problems
+
+@itemize @minus
+@item The AES-CBC cipher is used with predictable initialization vectors based
+on the sector number. This makes it vulnerable to chosen plaintext attacks
+which can reveal the existence of encrypted data.
+@item The user passphrase is directly used as the encryption key. A poorly
+choosen / short passphrase will compromise the security of the encryption.
+In the event of the passphrase being compromised there is no way to change
+the passphrase to protect data in any QCow images. The files must be cloned,
+using a different encryption passphrase in the new file. The original file
+must then be securely erased using a program like shred, though even this
+is ineffective with many modern storage technologies.
+@end itemize
+
+Use of QCow / QCow2 encryption is thus strongly discouraged. Users are
+recommended to use an alternative encryption technology such as the
+Linux dm-crypt / LUKS system.
 
 @item cluster_size
 Changes the qcow2 cluster size (must be between 512 and 2M). Smaller cluster
-- 
1.8.4.2

Re: [Qemu-devel] [PATCH] Describe flaws in qcow/qcow2 encryption in the docs

[Peter Maydell]

On 22 January 2014 11:36, Daniel P. Berrange <berrange@redhat.com> wrote:
> Recommend against any use of QCow/QCow2 encryption, directing
> users to dm-crypt / LUKS which can meet modern cryptography
> best practices.

Couple of minor typo nits I spotted:

> diff --git a/qemu-doc.texi b/qemu-doc.texi
> index 4e9c6e9..c9da6ad 100644
> --- a/qemu-doc.texi
> +++ b/qemu-doc.texi
> @@ -547,10 +547,27 @@ File name of a base image (see @option{create} subcommand)
>  @item backing_fmt
>  Image format of the base image
>  @item encryption
> -If this option is set to @code{on}, the image is encrypted.
> +If this option is set to @code{on}, the image is encrypted with 128-bit AES-CBC.
> +
> +The use of encryption in QCow and QCow2 images is considered to flawed by modern

"to be"

> +cryptography standards, suffering from a number of design problems

Missing ".".

> +
> +@itemize @minus
> +@item The AES-CBC cipher is used with predictable initialization vectors based
> +on the sector number. This makes it vulnerable to chosen plaintext attacks
> +which can reveal the existence of encrypted data.
> +@item The user passphrase is directly used as the encryption key. A poorly
> +choosen / short passphrase will compromise the security of the encryption.

"chosen or short".

> +In the event of the passphrase being compromised there is no way to change
> +the passphrase to protect data in any QCow images. The files must be cloned,
> +using a different encryption passphrase in the new file. The original file
> +must then be securely erased using a program like shred, though even this
> +is ineffective with many modern storage technologies.
> +@end itemize
>
> -Encryption uses the AES format which is very secure (128 bit keys). Use
> -a long password (16 characters) to get maximum protection.
> +Use of QCow / QCow2 encryption is thus strongly discouraged. Users are
> +recommended to use an alternative encryption technology such as the
> +Linux dm-crypt / LUKS system.

(same typos also in the texi version).

thanks
-- PMM

Re: [Qemu-devel] [PATCH] Describe flaws in qcow/qcow2 encryption in the docs

[Daniel P. Berrange]

On Wed, Jan 22, 2014 at 11:49:21AM +0000, Peter Maydell wrote:
> On 22 January 2014 11:36, Daniel P. Berrange <berrange@redhat.com> wrote:
> > Recommend against any use of QCow/QCow2 encryption, directing
> > users to dm-crypt / LUKS which can meet modern cryptography
> > best practices.
> 
> Couple of minor typo nits I spotted:

Thanks Peter, sending a v2.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

Re: [Qemu-devel] [PATCH] Describe flaws in qcow/qcow2 encryption in the docs

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 2591 bytes --]

On 01/22/2014 04:36 AM, Daniel P. Berrange wrote:
> The qemu-img.texi / qemu-doc.texi files currently describe the
> qcow2/qcow2 encryption thus
> 
>   "Encryption uses the AES format which is very secure (128 bit
>    keys). Use a long password (16 characters) to get maximum
>    protection."
> 
> While AES is indeed a strong encryption system, the way that
> QCow/QCow2 use it results in a poor/weak encryption system.
> Due to the use of predictable IVs it is vulnerable to chosen
> plaintext attacks which can reveal the existance of encrypted

s/existance/existence/

> data.
> 
> The direct use of the user passphrase as the encryption key
> also leads to an inability to change the passphrase of an
> image. If passphrase is ever compromised the image data will
> all be vulnerable, since it cannot be re-encrypted. The admin
> has to clone the image files with a new passphrase and then
> use a program like shred to secure erase all the old files.
> 
> Recommend against any use of QCow/QCow2 encryption, directing
> users to dm-crypt / LUKS which can meet modern cryptography
> best practices.
> 
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
>  qemu-doc.texi | 23 ++++++++++++++++++++---
>  qemu-img.texi | 23 ++++++++++++++++++++---
>  2 files changed, 40 insertions(+), 6 deletions(-)
> 

> +
> +The use of encryption in QCow and QCow2 images is considered to flawed by modern
> +cryptography standards, suffering from a number of design problems

s/$/:/

> +
> +@itemize @minus
> +@item The AES-CBC cipher is used with predictable initialization vectors based
> +on the sector number. This makes it vulnerable to chosen plaintext attacks
> +which can reveal the existence of encrypted data.
> +@item The user passphrase is directly used as the encryption key. A poorly
> +choosen / short passphrase will compromise the security of the encryption.

s/choosen/chosen/

> +In the event of the passphrase being compromised there is no way to change

Maybe s/^/@item / ?  After all, the need to clone/shred after compromise
is there whether the passphrase was poorly chosen or maximally chosen,
it's just that poorly chosen is more likely to be easily compromised.

> +++ b/qemu-img.texi

> +@item The user passphrase is directly used as the encryption key. A poorly
> +choosen / short passphrase will compromise the security of the encryption.

Copy and paste the fixes above here, too.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]