Message-ID: <40081AF0.5060907@borgerding.net>
Date: Fri, 16 Jan 2004 12:10:08 -0500
From: Mark Borgerding <mark@borgerding.net>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031107 Debian/1.5-3
MIME-Version: 1.0
To: linux-kernel@vger.kernel.org
Subject: Re: PROBLEM: AES cryptoloop corruption under recent -mm kernels
References: <Xine.LNX.4.44.0401161039480.20623-100000@thoron.boston.redhat.com>
In-Reply-To: <Xine.LNX.4.44.0401161039480.20623-100000@thoron.boston.redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1195
Lines: 41

James Morris wrote:

>On Fri, 16 Jan 2004, Mark Borgerding wrote:
>
>  
>
>> From looking through the cryptoloop code, it looks like the IV for CBC
>>mode is always the sector index.  It seems this could be weak against
>>chosen plaintext attacks, as well as allowing an attacker to know which
>>cipher blocks started any changes between two snapshots of the
>>ciphertext.  I discuss ECB, since I wouldn't consider using it.
>>    
>>
>
>Eli Biham has suggested encrypting the sector numbers, see
>http://people.redhat.com/jmorris/crypto/cryptoloop_eli_biham.txt
>
>
>
>- James
>  
>

This does not defend against a dictionary attack.

The IV is still deterministic for a given sector and hypothesized 
password. 
Thus the ciphertext for a given plaintext at that sector is still 
deterministic.

Thinking of it another way, this is equivalent to CBC mode having two 
IVs: the first one being the sector number, the second a block of zeros.


- Mark

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/