ChaCha8/12/20 and GEOM ELI tests
rozhuk.im at gmail.com
rozhuk.im at gmail.com
Wed Jan 14 05:56:57 UTC 2015
> >>> Maybe faster but a stream cipher is unusable for disk encryption -
> >>> iv is derived from sector number and doesn't change. Being able to
> >>> write a known plaintext and read resulting ciphertext allows you to
> >>> recover the cipher stream and decrypt any past or future data
> stored
> >>> on that sector.
> >>
> >> Depends on the capabilities of the attacker.
> >>
> >> To be able to continuously read encrypted sectors for data
> collection
> >> is too much.
> >
> > I disagree. It's the most basic attack scenario. Assuming attacker
> was
> > able to get access to encrypted disk once, odds are high it may
> happen
> > again.
> Agreed:
> In day to day life if anyone had an ability to read content off
> laptop’s hdd when it is hibernated - he would break the encryption.
> In server world if one has access to two HDDs from the same raid1 from
> different points in time - he also will have the ability to decrypt
> data.
While the laptop is sleeping from the dump, you can get any encryption keys the mounted disk, no matter what they are encrypted.
With servers agree, but I specifically focus on the conditions of application of ChaCha.
> > Stream cipher (or similarly functioning block cipher mode) should not
> > be used for disk encryption. IMHO swap encryption hardly justifies
> > adding insecure encryption mode to geli. Fast swap is certainly nice
> > to have, but rather remains a snake oil, system will remain trashed
> > due to swapping no matter how fast swap is.
> Agreed again, if one really wants to add stream cipher he should then
> securely generate random IV and write it to disk along with the data
> (e.g. how g_eli_integrity.c does for HMAC, or even something simpler
> since one does not have a requirement of storing IV on the same sector
> as data)
ChaCha perfectly suitable where speed is needed, but you can go to some risks.
I do not see the possibility of an attacker can decrypt ChaCha if he is unable to read the encrypted data in a different time and compare them with the plain text.
ChaCha is not a silver bullet when encrypting drives, but its area of application it has.
More information about the freebsd-geom
mailing list