Date: Tue, 9 May 2000 10:10:01 +0200
From: Thomas Pornin <[EMAIL PROTECTED]>
My "attack model" is offline: the disk is analysed, possibly modified,
while the machine is not powered; a somehow similar situation is the
following: I send (by snail mail) a Jaz disk to a friend. It could be
intercepted, so it should not be readable by anyone except my friend,
and it might be modified and sent again.
Since the encryption aims at being transparent, it does not provide
any protection against online attacks, when the attacker gains root
privilege.
... and what prevents the attacker from simply updating the checksum
when he's modifying the blocks?
Worse yet, you're talking about using an XOR checksum. It's utterly
trivial to modify data in such a way that the new data has the same XOR
checksum. So an XOR checksum buys you very, very, little. You could
use a cryptographic checksum, such as MD5, but such checksums are much
larger (they require 128 bits, at least), and you can no longer "take
off" data implied by the old data. Otherwise, it's too easy for an
attacker to do the same thing. You instead have to recalculate the MD5
checksum from scratch, each time you modify the file in anyway.
(With a modified MD5 checksum you can append to the file as long as the
size of the file is an exact multiple of 16 bytes and you are appending
in 16 byte chunks, but that modification also weakens the result MD5
checksum, for similar reasons).
Clearly you don't understand about cryptographic checksum. I suggest
that you find a copy of Bruce Schniers's Applied Cryptography, and read
it....
> By storing the checksum in the filesystem, the only thing this protects
> you against is attackers who modify the filesystem via the block
> device. This is actually a relatively rare attack path.
A short (but real) story to illustrate the need for on-the-fly,
transparent encryption: in a cryptography-oriented lab, some data was
considered "sensitive" (commercial secret, and other stuff). In a Sun
station, a disk broke. Sun agreed to replace it for free, all they
asked was that the previous disk was returned. However, it was stamped
"sensitive", so it could not be sent to Sun. Two years later, the
station had not yet been powered up again.
The problem was that it was impossible to wipe the disk before sending
it, since it was broken. All this could have been solved if any data
ever written to the disk had been enciphered.
That's silly story! If they really needed to return the disk, all
they'd have to do is swipe it a couple of times over a gigantic magnetic
degausser, and that would wipe the disk clean. At the NSA, where a
friend of mine used to work, they had deals with companies such as HP
where they would return the disk without platters in them, or if the
company really wanted the platters, they'd sandblast the magnetic oxide
off the disks first, and then return the sandblasted platters.
- Ted
