Date: Wed, 22 Aug 2018 23:21:53 -0400 From: Thomas Caputi <tcaputi@datto.com> To: mmacy@freebsd.org Cc: Sean Fagan <sef@ixsystems.com>, asomers@freebsd.org, freebsd-current@freebsd.org, freebsd-fs@freebsd.org Subject: Re: Native Encryption for ZFS on FreeBSD CFT Message-ID: <CAF2oFs-68Js-F0=r%2BOCDZWQgYThSJkk1yAj%2BOT=dyq_LjgZjbg@mail.gmail.com> In-Reply-To: <CAPrugNpstMxFJcFUyVnQOdS9EzBJMqBJ17oJdZ8px_aek4ghEg@mail.gmail.com> References: <CAPrugNomNQQUZZNgngYRjDEVEU=_KbE2pgG4ajO1Jr4%2BGov2gQ@mail.gmail.com> <CAPrugNpKOYe9VS6Q-Q43t4i51qsxrP0SKW76208rtX-ENWxS5g@mail.gmail.com> <CAOtMX2jGQWm9ZFM_0kqvEt41xrm%2BFTpq6JVK4iK-c20NQjisRg@mail.gmail.com> <AD1101E9-9A3E-41CB-B313-1723123C607B@ixsystems.com> <CAOtMX2gvtzKg=DJChZdcYCiuADNVm9JvhgLNJ7bmwCLArgigjw@mail.gmail.com> <9FDF249A-E320-4652-834E-7EEC5C4FB7CA@ixsystems.com> <CAOtMX2iMuLWEQV68MTcvpURacXB5wZMT8yAYySisOfnmCNn=SA@mail.gmail.com> <E415D5A9-DBEE-45DC-9AE2-7E50A74B8C2D@ixsystems.com> <CAOtMX2jaPZj1pQj2f_pzBFXCo6G2ksZ0=mQxCX0MxXnSJpEVuA@mail.gmail.com> <CAPrugNpstMxFJcFUyVnQOdS9EzBJMqBJ17oJdZ8px_aek4ghEg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> That doesn't answer the question about what happens when dedup is turned = off. In that case, is the HMAC still used as the IV? If so, then watermar= king attacks are still possible. Quoting the comment from the code above: "For non-dedup blocks we derive the IV randomly". When dedup is enabled, we do leak this information, but the dedup table already leaks that information anyway. The dedup table needs to be in plaintext so that we can repair it even when keys are not loaded. This is a known and documented trade off of using encryption + dedup. > Only encrypting L0 blocks also leaks a lot of information. That means th= at, if encryption is set to anything but "off", watermarking attacks will s= till be possible based on the size and sparsity of a file. Because I belie= ve that with any encryption mode, ZFS turns continuous runs of zeros into h= oles First of all, with encryption=3Doff, watermarking attacks are really quite easy :). The information that can be gained about a file from ZFS by looking at the raw disk are: 1) The size of the file (rounded up to the nearest sector size): Almost all applications that encrypt data will leak the approximate size of the protected payload. 2) The locations of holes within a file: ZFS does not turn runs of zeros into holes if you have compression off. However, data that is never written is maintained as a hole (ie if you never write any data to block 3 of a file). You are correct that technically this is a small leak of information, but we decided while designing the encryption scheme that the performance and space savings are worth it here. Is this enough information to be an attack vector? I would argue not, but if you are paranoid you could always turn compression off and fill in all the holes of your files with zeros. 3) If dedup is on, you can see which blocks have deduped against other blocks within a clone family. Encrypted dedup only works within applications that share the same master encryption key, which is essentially just snapshots and clones of snapshots. You cannot write data to one encrypted dataset and analyze the dedup tables to see i the data you wrote deduped against another dataset's data. 4) If compression + encryption is on a CRIME attack is possible, but in almost every scenario this attack is impractical. It requires the filesystem to have the key loaded, an application that appends a secret to the data controlled by an attacker, the attacker requires root access to the running system (to read the raw disk without rebooting and unloading the encryption key), and the attacker needs to be able to do many iterations of writing this attacker + secret data to disk and checking the resulting plaintext. During the implementation of native ZFS encryption we evaluated these and came to the conclusion that the security risks here are easily outweighed by the usability and performance benefits. If you have any further questions about the design, feel free to email me again or take a look at the (largely diagram based) docs on the implementation: https://docs.google.com/presentation/d/1km-z3MVNHYwlQLY6yEC3iq-TD05eredH9Ih= 4umGdkJw/edit?usp=3Dsharing On Wed, Aug 22, 2018 at 6:39 PM Matthew Macy <mmacy@freebsd.org> wrote: > > Hi Thomas, > > Alan believes that, even with dedup disabled, the ZFS native encryption s= upport is vulnerable to watermarking attacks. I don't have enough exposure = to crypto to pass any judgement and was hoping that you'd share your point = of view. Thanks in advance. > > -M > > > > On Wed, Aug 22, 2018 at 12:42 PM Alan Somers <asomers@freebsd.org> wrote: >> >> Only encrypting L0 blocks also leaks a lot of information. That means t= hat, if encryption is set to anything but "off", watermarking attacks will = still be possible based on the size and sparsity of a file. Because I beli= eve that with any encryption mode, ZFS turns continuous runs of zeros into = holes. And I don't see anything in zio_crypt.c that addresses that. >> -Alan >> >> On Wed, Aug 22, 2018 at 1:23 PM Sean Fagan <sef@ixsystems.com> wrote: >>> >>> On Aug 22, 2018, at 12:20 PM, Alan Somers <asomers@freebsd.org> wrote: >>> > ]That doesn't answer the question about what happens when dedup is tu= rned off. In that case, is the HMAC still used as the IV? If so, then wat= ermarking attacks are still possible. If ZFS switches to a random IV when = dedup is off, then it would probably be ok. >>> >>> From the same file: >>> >>> * Initialization Vector (IV): >>> * An initialization vector for the encryption algorithms. This is used= to >>> * "tweak" the encryption algorithms so that two blocks of the same dat= a are >>> * encrypted into different ciphertext outputs, thus obfuscating block = patterns. >>> * The supported encryption modes (AES-GCM and AES-CCM) require that an= IV is >>> * never reused with the same encryption key. This value is stored unen= crypted >>> * and must simply be provided to the decryption function. We use a 96 = bit IV >>> * (as recommended by NIST) for all block encryption. For non-dedup blo= cks we >>> * derive the IV randomly. The first 64 bits of the IV are stored in th= e second >>> * word of DVA[2] and the remaining 32 bits are stored in the upper 32 = bits of >>> * blk_fill. This is safe because encrypted blocks can't use the upper = 32 bits >>> * of blk_fill. We only encrypt level 0 blocks, which normally have a f= ill count >>> * of 1. The only exception is for DMU_OT_DNODE objects, where the fill= count of >>> * level 0 blocks is the number of allocated dnodes in that block. The = on-disk >>> * format supports at most 2^15 slots per L0 dnode block, because the m= aximum >>> * block size is 16MB (2^24). In either case, for level 0 blocks this n= umber >>> * will still be smaller than UINT32_MAX so it is safe to store the IV = in the >>> * top 32 bits of blk_fill, while leaving the bottom 32 bits of the fil= l count >>> * for the dnode code. >>> >>> Sean >>> >>>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAF2oFs-68Js-F0=r%2BOCDZWQgYThSJkk1yAj%2BOT=dyq_LjgZjbg>