On Sep 22, 2009, at 5:57 AM, Darren J Moffat wrote:
Ivan Krsti wrote:
TrueCrypt is a fine solution and indeed very helpful if you need
cross-platform encrypted volumes; it lets you trivially make an
encrypted USB key you can use on Linux, Windows and OS X. If you're
*just* talking about OS X, I don't believe TrueCrypt offers any
advantages over encrypted disk images unless you're big on
conspiracy theories.
Note my information may be out of date. I believe that MacOS native
encrypted disk images (and thus FileVault) uses AES in CBC mode
without any integrity protection, the Wikipedia article seems to
confirm that is (or at least was) the case http://en.wikipedia.org/wiki/FileVault
Unauthenticated CBC is indeed a problem
http://tinyurl.com/ycoaruo
There is also a sleep mode issue identified by the NSA:
http://crypto.nsa.org/vilefault/23C3-VileFault.pdf
I don't think that Jacob Appelbaum or Ralf-Philipp Weinmann work for
the NSA (but having "crypto.nsa.org" is cool :-)
TrueCrypt on the other hand uses AES in XTS mode so you get
confidentiality and integrity.
Technically, you do not get integrity. With XTS (P1619, narrow block
tweaked cipher) you are not notified of data integrity failures, but
these data integrity failures have a much reduced usability than CBC.
With XTS:
1) You can return 16 byte chunks to previous values (ciphertext
replay) as long as it is to the same place (offset) as it was before.
2) If you change a bit, you will randomize a 16 byte chunk of
information.
With the P1619.2 mode, I believe, is called TET (IEEE 1619.2, wide
block tweaked cipher) there are different characteristics. Usually the
wide block is a sector so it can be 512 or some other value. In this
case, you do not get complete integrity either. In this case
1) You can return a sector to a previous value (sector reply) as long
as it is to the same place (offset) as it was before.
2) If you change a bit, you will randomize a complete sector of
information.
If you change this to ZFS Crypto
http://opensolaris.org/os/project/zfs-crypto/
You get complete integrity detection with the only remaining
vulnerability that
1) you can return the entire disk to a previous state.
While I may have put you all asleep, the basic premise holds... XTS is
better than unauthenticated CBC.
http://www.cpni.gov.uk/docs/re-20050509-00385.pdf
http://jvn.jp/niscc/NISCC-004033/index.html
http://www.kb.cert.org/vuls/id/302220
--
Darren J Moffat
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
