Naive question about encrypted disks
Robert Watson
rwatson at FreeBSD.org
Wed Oct 25 17:09:07 UTC 2006
On Wed, 25 Oct 2006, Robert Krten wrote:
> I've read a few articles and papers on both encryption and the encrypted
> filesystems available under FreeBSD, and have what probably amounts to a
> naive question :-)
>
> I've read that if you know the plaintext, or parts of it, then obtaining the
> key is possible (maybe not "trivial", but "possible").
>
> Assuming the above is true, then the question I have is, when you encrypt
> the entire disk, aren't there bits of plaintext that you can derive? I'm
> thinking of meta data like what newfs leaves behind -- wouldn't it be
> possible to assume/guess the location and content of at least some of that
> meta data, and thus be able to then obtain the key? Or are the pieces of
> meta data that you can reliably guess at too small to be of use? Or... ?
>
> Like I said, I'm not an expert on crypto or filesystems by any stretch :-)
Deriving the key when you have examples of plaintext and ciphertext for that
plaintext is known as a "known-plaintext attack". Resistence to
known-plaintext attacks is one of the most important properties required of
modern crypto algorithms. Other examples of cases where resistance to
known-plaintext attacks is critical include:
- IPSEC, where it's often the case that a potential attacker can trigger known
plaintext to appear in the plaintext, and also through a packet sniffer gain
access to the ciphertext, but is not permitted to know the secret key.
- SSL web servers, where a customer of an ISP may be able to provide content
delivered using SSL, and can gain access to the ciphertext, but should not
be able to derive the key.
There are attacks that reduce the computational cost of deriving keying
materials against known crypto algorithms; however, those attacks typically do
not signifcantly weaken the cipher. Where they do, we have a special term we
can use to describe the algorithm: "broken".
Many crypto protocols (that is to say, conventions involving the use of
crypto) include "salt" or "initial vectors" (IVs) to limit the effectiveness
of dictionary attacks and known-plaintext attacks by causing the same
plaintext to be encrypted differently each time it is encrypted. These are
typically pseudo-random values, or in the case of chained crypto modes,
earlier data in the ciphertext or cleartext, or in the case of counter mode, a
incrementing counter.
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the freebsd-fs
mailing list