** Description changed: [Impact] - * Default LUKS encryption settings in the installer are proven to be susceptible to a malleability attack (targeted manipulation of encrypted data). - * Thus it is proposed to bump defaults to aes-xts-plain64 which is believe to not be affected by above attack. + * Default LUKS encryption settings in the installer are proven to be susceptible to a malleability attack (targeted manipulation of encrypted data). + * Thus it is proposed to bump defaults to aes-xts-plain64 which is believe to not be affected by above attack. [Test Case] - * Perform LUKS encrypted installation using d-i (text) based interface - * After installation verity that XTS has been used, and not CBC. + * Perform LUKS encrypted installation using d-i (text) based interface + * After installation verity that XTS has been used, and not CBC. + + # cryptsetup luksDump /dev/sda5|grep Cipher Here is the sample of _bad_ (CBC) output: - # cryptsetup luksDump /dev/sda5|grep Cipher Cipher name: aes Cipher mode: cbc-essiv:sha256 - [Regression Potential] + Here is the sample of _good_ (XTS) output: - * + Cipher name: aes + Cipher mode: xts-plain64 [Other Info] 12.04 LUKS encryption in the installer defaulted to CBC. We should switch 12.04.4 to aes-xts-plain64 as in 12.10 and above. See: http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1263740 Title: 12.04.4 alternate installer encryption should default to aes-xts- plain64 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/partman-crypto/+bug/1263740/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
