On Jan 13, 2011, at 10:40 AM, travis+ml-rbcryptogra...@subspacefield.org wrote:
> * PGP Signed by an unknown key
>
> So does anyone know off the top of their head whether dm-crypt or
> TrueCrypt (or other encrypted storage things) promise data integrity
> in any way, shape or form?
This depends on what you mean by data integrity. In a strict, formal way, where
you'd want to have encryption and a MAC, the answer is no. I don't know of one
that does, but if there *is* one that does, it's likely got other issues.
Disks, for example, pretty much assume that a sector is 512 bytes (or
whatever). There's no slop in there. It wouldn't surprise me if someone were
doing one, but it adds a host of other operational issues.
However -- a number of storage things (including TrueCrypt) are using modes
like XTS-AES. These modes are sometimes called "PMA" modes for "Poor Man's
Authentication." XTS in particular is a wide-block mode that takes a per-block
tweak. This means that if you are using an XTS block of 512 bytes, then a
single-bit change to the ciphertext causes the whole block to decrypt
incorrectly. If you're using a 4K data block, even better, as the single bit
error propagates to the whole 4K. On top of that, there's the use of the tweak
parameter; in disk storage, it's typically a function of the LBA of the data.
Together, this severely limits what an attacker can do to a storage system.
Single bit changes make a whole sector go bad, and you can't shuffle sectors.
While that isn't authentication in a formal sense, operationally the
constraints it puts on the attacker make it look a lot like authentication.
XTS has the additional advantage that it's a small overhead on top of AES.
So while it's not actual data integrity, once you start lowering your
requirements by saying, "in any way, shape or form," anyone who is using XTS,
EME, or other wide-block, tweakable modes, they're getting close to what you're
asking for.
Jon
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
