Re: Disk Encryption: aes-xts-plain vs aes-xts-essiv

[Aarón Mizrachi <unmanarc () gmail com>]

On Viernes 22 Mayo 2009 12:47:22 jdm escribió:
> I'm no cryptographer either, but I believe ESSIV is a protection
> against watermarking and known plaintext attacks.  If I recall
> correctly, the default state for dm-crypt is insecure since the
> default, or at least recommended configuration, is 'plain.'
>
> The down side is probably increased overhead, but I don't know of any
> benchmarks for this offhand.
Theorical: there is an impact.
Practical: Impact is not significant.


> Necessary is a relative term, but in my opinion, watermarking and
> known plaintext attacks are big attack vectors.  If you're
> implementing full disk encryption, you may as well implement it as
> securely as possible.
>
> If I'm wrong on any of the above, please correct me!
Well, depends on some factors...

Known plaintext attack could reduce the AES with 6 rounds to 2^63 key 
possibilities (correctme if im wrong or outdated), but, AES should use about 
10 or 12 rounds.

2^63 is enourmous but not sufficient today, specially with nvidia running 
outside. Hehehe, But we need to remember that this is with only 6 rounds.

Watermarking needs that the attacker write on your disk, and sometimes this 
issue are oversized (depends on pourporses). The watermarking technique permit 
create two blocks with the same data knowing the IV sequence generation. 

I think that watermarking is not applicable to XTS since XTS does not use 
predictable IV's, this is because the key for every block depends on the 
master key combined with block number.

So, i consider plain mode sufficient, but experimental.

If you need more extreme security, drop AES, go to Serpent, use ESSIV with 
XTS, Oversize the encryption block of serpent to 256,fill your harddrive with 
random information on the encrypted loop, next step, format it with ext3 
speedly, and reduce the block size of EXT3 to 1Kb (the minimal)... Also, 
prevent using EXT4, because it could decrease the entropy on the inode 
blocksize extremes by using extents. 

Remember use /dev/urandom when fill your drive inside the crypto... This will 
take time. lol...

Finally, you key will be broken by a phisical keylogger or by a remote 
keylogger using tempest, or even, using a microphone with a software that 
could distinguish the variations of every keypress... or even, using a fake 
screen installed on grub that show you a password decryption request with the 
same format of your linux screen. This require a direct write on your disk, 
same as watermarking attack.

Full disk crypto are far to be secure, then, sometimes are mixed with several 
double factor mechanism like external booting drive, a rsa token, whatever. 
But if the computer are phisical compromised, and subsequently you put the 
key, there is not a way to be secure...

> HTH,
> --j
>
> On Fri, May 22, 2009 at 9:45 AM, <phoenixprecedent () gmail com> wrote:
> > I've searched around and I can't seem to find a straight answer.
> >
> > Is ESSIV necessary in conjunction with XTS?
> >
> > dm-crypt/Luks recommends using "plain," but without
> > justification/explanation.
> >
> > I'm no cryptographer, but a little insight would be helpful.
> >
> > Thanks,
> > Phoenix
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: InfoSec Institute
> >
> > Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
> > Instructor-Led and Online formats is the most concentrated exam prep
> > available. Comprehensive course materials and an expert instructor means
> > you pass the exam. Gain a laser like insight into what is covered on the
> > exam, with zero fluff!
> >
> > http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
> Instructor-Led and Online formats is the most concentrated exam prep
> available. Comprehensive course materials and an expert instructor means
> you pass the exam. Gain a laser like insight into what is covered on the
> exam, with zero fluff!
>
> http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> ------------------------------------------------------------------------

-- 
Ing. Aaron G. Mizrachi P.    
http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503

Attachment: signature.asc
Description: This is a digitally signed message part.