From owner-freebsd-fs@freebsd.org  Wed Aug 22 19:46:31 2018
Return-Path: <owner-freebsd-fs@freebsd.org>
Delivered-To: freebsd-fs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B17471093B34;
 Wed, 22 Aug 2018 19:46:31 +0000 (UTC)
 (envelope-from asomers@gmail.com)
Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com
 [209.85.167.51])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 2A7AD88045;
 Wed, 22 Aug 2018 19:46:31 +0000 (UTC)
 (envelope-from asomers@gmail.com)
Received: by mail-lf1-f51.google.com with SMTP id j8-v6so2282605lfb.4;
 Wed, 22 Aug 2018 12:46:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=++NMJdGm2+cP9X5SmSlpRrJLyHTEQsGPgyG7tJMe5h8=;
 b=U9nBVhuiCQoX3z/ZbrhlrlFeQOIyVUnzi+cPwU4AuNivhaJddTLbh67BDLApFoxOj0
 17t4/W4ei3AwzcSt+RXrisy4n+lKrwdjvwy7vqYaHyhZKYt7KPcxsF9d+V7X1BF/MBmh
 ZpUOj5qhGLXqZMIIROiAB4HwXgKd7OtkSBf+vy8nKty7T9u0ClOYXLc0k8fDlsbl9pAD
 s7rCTx/gL3SChd4WSjn3oDfsjrXN3QUaWUpLsg3/FTgnIemLiqwswNIQiFPQtw/lRjz0
 ITQOLQZeXn/xIPuEovEEG9z9ax+LZcoolnf/AEe0+bfouxw8gbKiXvmdJ30a0MC3EaOi
 /VAg==
X-Gm-Message-State: AOUpUlHMUQP8qz1hER5izdAw6eWS5IFe8Wre63sTY0tymqjEPlXc/DyR
 TGNkbY5CE1W+/LF9NOdpVDg3hqPr8yotNJNh05bf0A==
X-Google-Smtp-Source: AA+uWPywVq7Knf1+i50rBYlrksxiyvFp4J8AjC1HFsXGRpNDhmn9WWKOOCAuLSikNgG1LrIPaO4x8J1uafv2jehzb6E=
X-Received: by 2002:a19:1c4c:: with SMTP id
 c73-v6mr10783055lfc.90.1534965641770; 
 Wed, 22 Aug 2018 12:20:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAPrugNomNQQUZZNgngYRjDEVEU=_KbE2pgG4ajO1Jr4+Gov2gQ@mail.gmail.com>
 <CAPrugNpKOYe9VS6Q-Q43t4i51qsxrP0SKW76208rtX-ENWxS5g@mail.gmail.com>
 <CAOtMX2jGQWm9ZFM_0kqvEt41xrm+FTpq6JVK4iK-c20NQjisRg@mail.gmail.com>
 <AD1101E9-9A3E-41CB-B313-1723123C607B@ixsystems.com>
 <CAOtMX2gvtzKg=DJChZdcYCiuADNVm9JvhgLNJ7bmwCLArgigjw@mail.gmail.com>
 <9FDF249A-E320-4652-834E-7EEC5C4FB7CA@ixsystems.com>
In-Reply-To: <9FDF249A-E320-4652-834E-7EEC5C4FB7CA@ixsystems.com>
From: Alan Somers <asomers@freebsd.org>
Date: Wed, 22 Aug 2018 13:20:29 -0600
Message-ID: <CAOtMX2iMuLWEQV68MTcvpURacXB5wZMT8yAYySisOfnmCNn=SA@mail.gmail.com>
Subject: Re: Native Encryption for ZFS on FreeBSD CFT
To: Sean Fagan <sef@ixsystems.com>
Cc: Matthew Macy <mmacy@freebsd.org>,
 FreeBSD CURRENT <freebsd-current@freebsd.org>, 
 freebsd-fs <freebsd-fs@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.27
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs/>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Aug 2018 19:46:32 -0000

On Wed, Aug 22, 2018 at 12:30 PM Sean Fagan <sef@ixsystems.com> wrote:

> On Aug 21, 2018, at 8:16 PM, Alan Somers <asomers@freebsd.org> wrote:
> >
> > > The last time I looked (which was a long time ago), Oracle's ZFS
> encryption looked extremely vulnerable to watermarking attacks.  Did
> anybody ever fix that?
>
> This is the comment about dedup in zio_crypt.c:
>
>  * CONSIDERATIONS FOR DEDUP:
>  * In order for dedup to work, blocks that we want to dedup with one
> another
>  * need to use the same IV and encryption key, so that they will have the
> same
>  * ciphertext. Normally, one should never reuse an IV with the same
> encryption
>  * key or else AES-GCM and AES-CCM can both actually leak the plaintext o=
f
> both
>  * blocks. In this case, however, since we are using the same plaintext a=
s
>  * well all that we end up with is a duplicate of the original ciphertext
> we
>  * already had. As a result, an attacker with read access to the raw disk
> will
>  * be able to tell which blocks are the same but this information is give=
n
> away
>  * by dedup anyway. In order to get the same IVs and encryption keys for
>  * equivalent blocks of data we use an HMAC of the plaintext. We use an
> HMAC
>  * here so that a reproducible checksum of the plaintext is never
> available to
>  * the attacker. The HMAC key is kept alongside the master key, encrypted
> on
>  * disk. The first 64 bits of the HMAC are used in place of the random
> salt, and
>  * the next 96 bits are used as the IV. As a result of this mechanism,
> dedup
>  * will only work within a clone family since encrypted dedup requires us=
e
> of
>  * the same master and HMAC keys.
>
> (So, same issue.  I don=E2=80=99t think encryption and deduplication shou=
ld live
> together,
> so I would not have made that choice.)
>
> Sean.
>

That doesn't answer the question about what happens when dedup is turned
off.  In that case, is the HMAC still used as the IV?  If so, then
watermarking attacks are still possible.  If ZFS switches to a random IV
when dedup is off, then it would probably be ok.
-Alan