On Wed, 2013-12-25 at 21:34 +0100, intrigeri wrote:
Hi,
Marco Calamari wrote (24 Dec 2013 11:42:36 GMT) :
After readint the descritpion of this attack (injection attack type
against LUKS-CBC volumes)
http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/
I check that my persistent partition (built a lot of TAILS
version ago) is of CBC type.
If an attacker gets write access to a Tails USB stick, they can as
well corrupt the initramfs or some other part of the system, and from
there have a persistent file be modified during next boot, without
having to guess what block this file is stored at in the persistent
volume. Seems easier than the attack against CBC, no?
Or did I miss the threat model you had in mind?
Hi
no, absolutely, you're right; but CBC is under critics since a long
time,
so at least doing persistency without it should not need
an explicit danger, but only because it is not best of breed
and the alternative block cypher is already there and comes
for free
Time to switch to XTS and/or warn user having CBC partition to
reformat?
Note that cryptsetup 1.6 defaults to XTS. Once Tails is based on
Wheezy, we might want to install this version, assuming a backport is
not too painful to produce and maintain. Anyone volunteering to
try this?
Additionally, this would provide compatibility with the on-disk
TrueCrypt format (which is not very useful until the rest of the
udisks / GNOME Disks / Nautilus stack has this support, wishlist bug
reported there a while ago, needs someone to write the code).
--
+--- http://www.winstonsmith.org ---+
| il Progetto Winston Smith: scolleghiamo il Grande Fratello |
| the Winston Smith Project: unplug the Big Brother |
| Marco A. Calamari mar...@marcoc.it http://www.marcoc.it |
| DSS/DH: 8F3E 5BAE 906F B416 9242 1C10 8661 24A9 BFCE 822B |
+ PGP RSA: ED84 3839 6C4D 3FFE 389F 209E 3128 5698 --+
signature.asc
Description: This is a digitally signed message part
___
tails-dev mailing list
tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev