Naive question about encrypted disks

Robert Watson rwatson at FreeBSD.org
Wed Oct 25 17:09:07 UTC 2006 

On Wed, 25 Oct 2006, Robert Krten wrote:

> I've read a few articles and papers on both encryption and the encrypted 
> filesystems available under FreeBSD, and have what probably amounts to a 
> naive question :-)
>
> I've read that if you know the plaintext, or parts of it, then obtaining the 
> key is possible (maybe not "trivial", but "possible").
>
> Assuming the above is true, then the question I have is, when you encrypt 
> the entire disk, aren't there bits of plaintext that you can derive?  I'm 
> thinking of meta data like what newfs leaves behind -- wouldn't it be 
> possible to assume/guess the location and content of at least some of that 
> meta data, and thus be able to then obtain the key?  Or are the pieces of 
> meta data that you can reliably guess at too small to be of use?  Or... ?
>
> Like I said, I'm not an expert on crypto or filesystems by any stretch :-)

Deriving the key when you have examples of plaintext and ciphertext for that 
plaintext is known as a "known-plaintext attack".  Resistence to 
known-plaintext attacks is one of the most important properties required of 
modern crypto algorithms.  Other examples of cases where resistance to 
known-plaintext attacks is critical include:

- IPSEC, where it's often the case that a potential attacker can trigger known
   plaintext to appear in the plaintext, and also through a packet sniffer gain
   access to the ciphertext, but is not permitted to know the secret key.

- SSL web servers, where a customer of an ISP may be able to provide content
   delivered using SSL, and can gain access to the ciphertext, but should not
   be able to derive the key.

There are attacks that reduce the computational cost of deriving keying 
materials against known crypto algorithms; however, those attacks typically do 
not signifcantly weaken the cipher.  Where they do, we have a special term we 
can use to describe the algorithm: "broken".

Many crypto protocols (that is to say, conventions involving the use of 
crypto) include "salt" or "initial vectors" (IVs) to limit the effectiveness 
of dictionary attacks and known-plaintext attacks by causing the same 
plaintext to be encrypted differently each time it is encrypted.  These are 
typically pseudo-random values, or in the case of chained crypto modes, 
earlier data in the ciphertext or cleartext, or in the case of counter mode, a 
incrementing counter.

Robert N M Watson
Computer Laboratory
University of Cambridge

More information about the freebsd-fs mailing list