Date: Wed, 22 Aug 2018 15:39:18 -0700 From: Matthew Macy <mmacy@freebsd.org> To: tcaputi@datto.com Cc: Sean Fagan <sef@ixsystems.com>, Alan Somers <asomers@freebsd.org>, freebsd-current <freebsd-current@freebsd.org>, freebsd-fs <freebsd-fs@freebsd.org> Subject: Re: Native Encryption for ZFS on FreeBSD CFT Message-ID: <CAPrugNpstMxFJcFUyVnQOdS9EzBJMqBJ17oJdZ8px_aek4ghEg@mail.gmail.com> In-Reply-To: <CAOtMX2jaPZj1pQj2f_pzBFXCo6G2ksZ0=mQxCX0MxXnSJpEVuA@mail.gmail.com> References: <CAPrugNomNQQUZZNgngYRjDEVEU=_KbE2pgG4ajO1Jr4%2BGov2gQ@mail.gmail.com> <CAPrugNpKOYe9VS6Q-Q43t4i51qsxrP0SKW76208rtX-ENWxS5g@mail.gmail.com> <CAOtMX2jGQWm9ZFM_0kqvEt41xrm%2BFTpq6JVK4iK-c20NQjisRg@mail.gmail.com> <AD1101E9-9A3E-41CB-B313-1723123C607B@ixsystems.com> <CAOtMX2gvtzKg=DJChZdcYCiuADNVm9JvhgLNJ7bmwCLArgigjw@mail.gmail.com> <9FDF249A-E320-4652-834E-7EEC5C4FB7CA@ixsystems.com> <CAOtMX2iMuLWEQV68MTcvpURacXB5wZMT8yAYySisOfnmCNn=SA@mail.gmail.com> <E415D5A9-DBEE-45DC-9AE2-7E50A74B8C2D@ixsystems.com> <CAOtMX2jaPZj1pQj2f_pzBFXCo6G2ksZ0=mQxCX0MxXnSJpEVuA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Thomas, Alan believes that, even with dedup disabled, the ZFS native encryption support is vulnerable to watermarking attacks. I don't have enough exposure to crypto to pass any judgement and was hoping that you'd share your point of view. Thanks in advance. -M On Wed, Aug 22, 2018 at 12:42 PM Alan Somers <asomers@freebsd.org> wrote: > Only encrypting L0 blocks also leaks a lot of information. That means > that, if encryption is set to anything but "off", watermarking attacks will > still be possible based on the size and sparsity of a file. Because I > believe that with any encryption mode, ZFS turns continuous runs of zeros > into holes. And I don't see anything in zio_crypt.c that addresses that. > -Alan > > On Wed, Aug 22, 2018 at 1:23 PM Sean Fagan <sef@ixsystems.com> wrote: > >> On Aug 22, 2018, at 12:20 PM, Alan Somers <asomers@freebsd.org> wrote: >> > ]That doesn't answer the question about what happens when dedup is >> turned off. In that case, is the HMAC still used as the IV? If so, then >> watermarking attacks are still possible. If ZFS switches to a random IV >> when dedup is off, then it would probably be ok. >> >> From the same file: >> >> * Initialization Vector (IV): >> >> * An initialization vector for the encryption algorithms. This is used >> to >> * "tweak" the encryption algorithms so that two blocks of the same data >> are >> * encrypted into different ciphertext outputs, thus obfuscating block >> patterns. >> * The supported encryption modes (AES-GCM and AES-CCM) require that an >> IV is >> * never reused with the same encryption key. This value is stored >> unencrypted >> * and must simply be provided to the decryption function. We use a 96 >> bit IV >> * (as recommended by NIST) for all block encryption. For non-dedup >> blocks we >> * derive the IV randomly. The first 64 bits of the IV are stored in the >> second >> * word of DVA[2] and the remaining 32 bits are stored in the upper 32 >> bits of >> * blk_fill. This is safe because encrypted blocks can't use the upper 32 >> bits >> * of blk_fill. We only encrypt level 0 blocks, which normally have a >> fill count >> * of 1. The only exception is for DMU_OT_DNODE objects, where the fill >> count of >> * level 0 blocks is the number of allocated dnodes in that block. The >> on-disk >> * format supports at most 2^15 slots per L0 dnode block, because the >> maximum >> * block size is 16MB (2^24). In either case, for level 0 blocks this >> number >> * will still be smaller than UINT32_MAX so it is safe to store the IV in >> the >> * top 32 bits of blk_fill, while leaving the bottom 32 bits of the fill >> count >> * for the dnode code. >> >> >> Sean >> >> >>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPrugNpstMxFJcFUyVnQOdS9EzBJMqBJ17oJdZ8px_aek4ghEg>