From owner-freebsd-fs@FreeBSD.ORG Wed Oct 25 17:09:07 2006 Return-Path: X-Original-To: freebsd-fs@freebsd.org Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4221516A417 for ; Wed, 25 Oct 2006 17:09:07 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 272D243DA1 for ; Wed, 25 Oct 2006 17:08:39 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id C9C5046E87; Wed, 25 Oct 2006 13:08:38 -0400 (EDT) Date: Wed, 25 Oct 2006 18:08:38 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Robert Krten In-Reply-To: <200610251642.k9PGgr4t054536@amd64.ott.parse.com> Message-ID: <20061025180112.P33725@fledge.watson.org> References: <200610251642.k9PGgr4t054536@amd64.ott.parse.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-fs@freebsd.org Subject: Re: Naive question about encrypted disks X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2006 17:09:07 -0000 On Wed, 25 Oct 2006, Robert Krten wrote: > I've read a few articles and papers on both encryption and the encrypted > filesystems available under FreeBSD, and have what probably amounts to a > naive question :-) > > I've read that if you know the plaintext, or parts of it, then obtaining the > key is possible (maybe not "trivial", but "possible"). > > Assuming the above is true, then the question I have is, when you encrypt > the entire disk, aren't there bits of plaintext that you can derive? I'm > thinking of meta data like what newfs leaves behind -- wouldn't it be > possible to assume/guess the location and content of at least some of that > meta data, and thus be able to then obtain the key? Or are the pieces of > meta data that you can reliably guess at too small to be of use? Or... ? > > Like I said, I'm not an expert on crypto or filesystems by any stretch :-) Deriving the key when you have examples of plaintext and ciphertext for that plaintext is known as a "known-plaintext attack". Resistence to known-plaintext attacks is one of the most important properties required of modern crypto algorithms. Other examples of cases where resistance to known-plaintext attacks is critical include: - IPSEC, where it's often the case that a potential attacker can trigger known plaintext to appear in the plaintext, and also through a packet sniffer gain access to the ciphertext, but is not permitted to know the secret key. - SSL web servers, where a customer of an ISP may be able to provide content delivered using SSL, and can gain access to the ciphertext, but should not be able to derive the key. There are attacks that reduce the computational cost of deriving keying materials against known crypto algorithms; however, those attacks typically do not signifcantly weaken the cipher. Where they do, we have a special term we can use to describe the algorithm: "broken". Many crypto protocols (that is to say, conventions involving the use of crypto) include "salt" or "initial vectors" (IVs) to limit the effectiveness of dictionary attacks and known-plaintext attacks by causing the same plaintext to be encrypted differently each time it is encrypted. These are typically pseudo-random values, or in the case of chained crypto modes, earlier data in the ciphertext or cleartext, or in the case of counter mode, a incrementing counter. Robert N M Watson Computer Laboratory University of Cambridge