Naive question about encrypted disks

Scott Long scottl at samsco.org
Wed Oct 25 19:37:18 UTC 2006 

Robert Watson wrote:
> 
> On Wed, 25 Oct 2006, Robert Krten wrote:
> 
>> I've read a few articles and papers on both encryption and the 
>> encrypted filesystems available under FreeBSD, and have what probably 
>> amounts to a naive question :-)
>>
>> I've read that if you know the plaintext, or parts of it, then 
>> obtaining the key is possible (maybe not "trivial", but "possible").
>>
>> Assuming the above is true, then the question I have is, when you 
>> encrypt the entire disk, aren't there bits of plaintext that you can 
>> derive?  I'm thinking of meta data like what newfs leaves behind -- 
>> wouldn't it be possible to assume/guess the location and content of at 
>> least some of that meta data, and thus be able to then obtain the 
>> key?  Or are the pieces of meta data that you can reliably guess at 
>> too small to be of use?  Or... ?
>>
>> Like I said, I'm not an expert on crypto or filesystems by any stretch 
>> :-)
> 
> 
> Deriving the key when you have examples of plaintext and ciphertext for 
> that plaintext is known as a "known-plaintext attack".  Resistence to 
> known-plaintext attacks is one of the most important properties required 
> of modern crypto algorithms.  Other examples of cases where resistance 
> to known-plaintext attacks is critical include:
> 
> - IPSEC, where it's often the case that a potential attacker can trigger 
> known
>   plaintext to appear in the plaintext, and also through a packet 
> sniffer gain
>   access to the ciphertext, but is not permitted to know the secret key.
> 
> - SSL web servers, where a customer of an ISP may be able to provide 
> content
>   delivered using SSL, and can gain access to the ciphertext, but should 
> not
>   be able to derive the key.
> 
> There are attacks that reduce the computational cost of deriving keying 
> materials against known crypto algorithms; however, those attacks 
> typically do not signifcantly weaken the cipher.  Where they do, we have 
> a special term we can use to describe the algorithm: "broken".
> 
> Many crypto protocols (that is to say, conventions involving the use of 
> crypto) include "salt" or "initial vectors" (IVs) to limit the 
> effectiveness of dictionary attacks and known-plaintext attacks by 
> causing the same plaintext to be encrypted differently each time it is 
> encrypted.  These are typically pseudo-random values, or in the case of 
> chained crypto modes, earlier data in the ciphertext or cleartext, or in 
> the case of counter mode, a incrementing counter.
> 

So, if you know that multiple superblock copies are going to be written
at predictable places on the disk, and you know that the these copies
are identical, unchanging, and have predictable contents, does that give
you a starting point for a known-plaintext attack?   I believe that is
the question here.  Even if the block granularity of GBDE ensures that
the superblocks will be encrypted with other less-predictable data,
could you still predict that the outter cylinder groups of the disk
might be unused, and therefore have lots of predictable data on them?

Scott

More information about the freebsd-fs mailing list