** Description changed:
+ [Impact]
+
+ * Default LUKS encryption settings in the installer are proven to be
susceptible to a malleability attack (targeted manipulation of encrypted data).
+ * Thus it is proposed to bump defaults to aes-xts-plain64 which is believe
to not be affected by above attack.
+
+ [Test Case]
+
+ * Perform LUKS encrypted installation using d-i (text) based interface
+ * After installation verity that XTS has been used, and not CBC.
+
+ Here is the sample of _bad_ (CBC) output:
+
+ # cryptsetup luksDump /dev/sda5|grep Cipher
+ Cipher name: aes
+ Cipher mode: cbc-essiv:sha256
+
+ [Regression Potential]
+
+ *
+
+ [Other Info]
+
12.04 LUKS encryption in the installer defaulted to CBC. We should
switch 12.04.4 to aes-xts-plain64 as in 12.10 and above.
See:
http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/
** Changed in: partman-crypto (Ubuntu Precise)
Status: Confirmed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1263740
Title:
12.04.4 alternate installer encryption should default to aes-xts-
plain64
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/partman-crypto/+bug/1263740/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
