Security Basics mailing list archives
Re: Disk Encryption: aes-xts-plain vs aes-xts-essiv
From: Aarón Mizrachi <unmanarc () gmail com>
Date: Sat, 23 May 2009 01:59:58 -0430
On Viernes 22 Mayo 2009 12:47:22 jdm escribió:
I'm no cryptographer either, but I believe ESSIV is a protection against watermarking and known plaintext attacks. If I recall correctly, the default state for dm-crypt is insecure since the default, or at least recommended configuration, is 'plain.' The down side is probably increased overhead, but I don't know of any benchmarks for this offhand.
Theorical: there is an impact. Practical: Impact is not significant.
Necessary is a relative term, but in my opinion, watermarking and known plaintext attacks are big attack vectors. If you're implementing full disk encryption, you may as well implement it as securely as possible. If I'm wrong on any of the above, please correct me!
Well, depends on some factors... Known plaintext attack could reduce the AES with 6 rounds to 2^63 key possibilities (correctme if im wrong or outdated), but, AES should use about 10 or 12 rounds. 2^63 is enourmous but not sufficient today, specially with nvidia running outside. Hehehe, But we need to remember that this is with only 6 rounds. Watermarking needs that the attacker write on your disk, and sometimes this issue are oversized (depends on pourporses). The watermarking technique permit create two blocks with the same data knowing the IV sequence generation. I think that watermarking is not applicable to XTS since XTS does not use predictable IV's, this is because the key for every block depends on the master key combined with block number. So, i consider plain mode sufficient, but experimental. If you need more extreme security, drop AES, go to Serpent, use ESSIV with XTS, Oversize the encryption block of serpent to 256,fill your harddrive with random information on the encrypted loop, next step, format it with ext3 speedly, and reduce the block size of EXT3 to 1Kb (the minimal)... Also, prevent using EXT4, because it could decrease the entropy on the inode blocksize extremes by using extents. Remember use /dev/urandom when fill your drive inside the crypto... This will take time. lol... Finally, you key will be broken by a phisical keylogger or by a remote keylogger using tempest, or even, using a microphone with a software that could distinguish the variations of every keypress... or even, using a fake screen installed on grub that show you a password decryption request with the same format of your linux screen. This require a direct write on your disk, same as watermarking attack. Full disk crypto are far to be secure, then, sometimes are mixed with several double factor mechanism like external booting drive, a rsa token, whatever. But if the computer are phisical compromised, and subsequently you put the key, there is not a way to be secure...
HTH, --j On Fri, May 22, 2009 at 9:45 AM, <phoenixprecedent () gmail com> wrote:I've searched around and I can't seem to find a straight answer. Is ESSIV necessary in conjunction with XTS? dm-crypt/Luks recommends using "plain," but without justification/explanation. I'm no cryptographer, but a little insight would be helpful. Thanks, Phoenix ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
-- Ing. Aaron G. Mizrachi P. http://www.unmanarc.com Mobil 1: + 58 416-6143543 Mobil 2: + 58 424-2412503
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Disk Encryption: aes-xts-plain vs aes-xts-essiv phoenixprecedent (May 22)
- Re: Disk Encryption: aes-xts-plain vs aes-xts-essiv jdm (May 22)
- Re: Disk Encryption: aes-xts-plain vs aes-xts-essiv Phoenix Precedent (May 22)
- Re: Disk Encryption: aes-xts-plain vs aes-xts-essiv Aarón Mizrachi (May 25)
- Re: Disk Encryption: aes-xts-plain vs aes-xts-essiv Aarón Mizrachi (May 22)
- Re: Disk Encryption: aes-xts-plain vs aes-xts-essiv jdm (May 22)