All of lore.kernel.org
 help / color / mirror / Atom feed
From: David Gstir <david@sigma-star.at>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Eric Biggers <ebiggers3@gmail.com>,
	linux-fscrypt@vger.kernel.org, Theodore Ts'o <tytso@mit.edu>,
	linux-ext4@vger.kernel.org,
	linux-f2fs-devel@lists.sourceforge.net,
	linux-mtd@lists.infradead.org, linux-fsdevel@vger.kernel.org,
	Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
	Jaegeuk Kim <jaegeuk@kernel.org>,
	Michael Halcrow <mhalcrow@google.com>,
	Paul Crowley <paulcrowley@google.com>,
	Martin Willi <martin@strongswan.org>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Eric Biggers <ebiggers@google.com>,
	Richard Weinberger <richard@nod.at>
Subject: Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption
Date: Mon, 11 Dec 2017 17:11:41 +0100	[thread overview]
Message-ID: <899E2752-1AD9-4DF4-ABC7-E0D1582AF292@sigma-star.at> (raw)
In-Reply-To: <CAHmME9ob8eG1yS=jkGHFnYDq+FtiJCP38CKpzUs0Z33R8_0Msw@mail.gmail.com>


> On 08.12.2017, at 03:51, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> 
> Hi Eric,
> 
> Nice to see more use of ChaCha20. However...
> 
> Can we skip over the "sort of worse than XTS, but not having _real_
> authentication sucks anyway in either case, so whatever" and move
> directly to, "linux finally supports authenticated encryption for disk
> encryption!"? This would be a big deal and would actually be a
> noticeable security improvement, instead of a potentially dubious step
> sidewaysbackish.

Out of curiosity, does anybody know of any specific attacks that authenticated
encryption for disk encryption would solve as opposed to just using encryption
with AES-XTS?

To my knowledge the XTS mode is frowned upon [1], but I don't know of any
serious flaws that would eg. allow an attacker to modify file contents
without a *serious* amount of effort. CBC is another story though [2].

Don't get me wrong, I'd like to have authenticated encryption too.
In fact we are currently working on a concept for adding authentication to
UBIFS (I'll share more details as soon as its in a presentable state).
However, the reason for this is mainly because UBIFS does *not* operate on
the block layer, so dm-integrity/dm-verity is not an option and fscrypt
only protects the confidentiality of file contents and filenames.
This means that the filesystem index is unprotected which makes it rather
easy to move files around - eg. replace /bin/bash with something completely
different without knowing the fscrypt master key or any derived key.

For the general use case though (eg. securing *really important* files on my desktop),
I'd use authenticated encryption at a higher layer to get more flexibility
to eg. easily use explicit IVs over implicit ones derived from block/sector
number. But maybe there are some uses cases I didn't think of just now... :)

David

[1] https://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/
[2] http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/

  parent reply	other threads:[~2017-12-11 16:11 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-12-08  1:38 [PATCH] fscrypt: add support for ChaCha20 contents encryption Eric Biggers
2017-12-08  2:51 ` Jason A. Donenfeld
2017-12-08  7:20   ` Ard Biesheuvel
2017-12-08 21:42     ` Eric Biggers
2017-12-09 15:40       ` Geo Kozey
2017-12-10 19:05         ` Eric Biggers
2017-12-11 16:11   ` David Gstir [this message]
2017-12-08  9:11 ` Ard Biesheuvel
2017-12-08  9:11   ` Ard Biesheuvel
2017-12-08 10:06     ` Ard Biesheuvel
2017-12-08 10:06       ` Ard Biesheuvel
2017-12-08 10:14       ` Stephan Mueller
2017-12-08 10:27         ` Ard Biesheuvel
2017-12-08 10:27           ` Ard Biesheuvel
2017-12-09  0:48 ` Jeffrey Walton
2017-12-10 18:59   ` Eric Biggers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=899E2752-1AD9-4DF4-ABC7-E0D1582AF292@sigma-star.at \
    --to=david@sigma-star.at \
    --cc=Jason@zx2c4.com \
    --cc=ard.biesheuvel@linaro.org \
    --cc=ebiggers3@gmail.com \
    --cc=ebiggers@google.com \
    --cc=jaegeuk@kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-ext4@vger.kernel.org \
    --cc=linux-f2fs-devel@lists.sourceforge.net \
    --cc=linux-fscrypt@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-mtd@lists.infradead.org \
    --cc=martin@strongswan.org \
    --cc=mhalcrow@google.com \
    --cc=paulcrowley@google.com \
    --cc=richard@nod.at \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.