[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-crypto
Subject:    Re: Vulnerability in encrypted loop device for Linux
From:       Gisle S{lensminde <gisle () ii ! uib ! no>
Date:       2001-12-19 11:25:37
[Download RAW message or body]

On Wed, 19 Dec 2001, Gisle S{lensminde wrote:

>
> Yes, this is a problem with loopback crypto. The problem is that the
> loopback interface assume that it's length preserving, and that make
> insertion of a MAC difficult.

The problem can partially be solved in a length preseving way. Before
the data is encrypted a so called 'all or nothing transform' is applied
to the data. That is a length preseving function f(x) -> y such that
modification to any block in y to y', will make f-1(y') be different
from x in all blocks. Ronald Rivest have made a paper on this.

Ronald Rivest himself propose one such mode based on a block cipher.
Another possible transform is to use DFFT (discrete fast Fourier transform
as f, and IDFFT (the inverse) as f-1. If E(k,v,P) encrypts a block with IV v,
and D(k,v,C) decrypts it, encryption is changed to  C = E(k,v,f(P)),
and decryption to P = f-1(D(k,v,C)). This transform will make it
hard to insert chosen ciphertexts, like  Jerome Etienne's paper describes.

It will not solve all problems. That is teoretically impossible
without adding redundancy.

--
Gisle Sælensminde ( gisle@ii.uib.no )

With sufficient thrust, pigs fly just fine. However, this is not
necessarily a good idea. It is hard to be sure where they are going
to land, and it could be dangerous sitting under them as they fly
overhead. (from RFC 1925)

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

[prev in list] [next in list] [prev in thread] [next in thread]