security of re-encryption

security of re-encryption

[Philippe Cerfon]

Hey list.

I've just wondered whether there are any security implications of
re-encrypting a LUKS volume?

I mean if the payload data stays mostly or exactly the same and an
attacker would be able to make an image (of the encrypted volume)
before and after, could that help for statistical attacks in order to
get the key?


Thanks,
Philippe.

Re: security of re-encryption

[Michael Kjörling]

On 8 Nov 2022 03:40 +0100, from philcerf@gmail.com (Philippe Cerfon):
> I mean if the payload data stays mostly or exactly the same and an
> attacker would be able to make an image (of the encrypted volume)
> before and after [re-encryption], could that help for statistical attacks in order to
> get the key?

Personally, while I am certainly open to being proved wrong in this, I
doubt it. That would imply that, with two unrelated keys both selected
at random, something in the underlying cipher (most likely AES) causes
the two ciphertexts of an identical plaintext to have correlations
that would provide an adversary with a significant advantage in
deriving either key. (Even just a few bits' work factor worth would
very likely count as significant here.)

Even if it was mode-specific (for example, applies only to AES-XTS, or
does not apply to any currently defined chaining modes), that would be
a _major_ break of any encryption algorithm, let alone of AES, and
something I would expect to be presented at a major cryptography
conference or at the very least in a field-relevant journal; certainly
not in a post on a mailing list.

It would also potentially have implications _far_ beyond full-disk
encryption. Consider just that the first several bytes of the HTTP
request portion of a HTTPS transaction are not just guessable, but can
pretty much be considered to be _known_ since they are essentially
dictated by the HTTP standard.

-- 
🪶 Michael Kjörling                  🏡 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”

Re: security of re-encryption

[Philippe Cerfon]

Hey Michael.

Thanks for your reply! :-)

> Consider just that the first several bytes of the HTTP
> request portion of a HTTPS transaction are not just guessable, but
> can
> pretty much be considered to be _known_ since they are essentially
> dictated by the HTTP standard.

I had thought about that, too, but imagined that the following might
make a difference:
- With HTTP, only the first few bytes are the same (more or less)
unless one transmits large files or so (but then again, wouldn't TLS
renegotiations hapen after a while)? With LUKS one migh have many TB
of ciphertext (before and after). So I wondered whether that could
make a difference.
- With TLS, doesn't one typically have some ephemeral key, and even if
that was compromised only that particular session (or part thereof)
would be compromised. For cryptsetup the key is "static", so the
effect would be much bigger.

Of course I didn't want to imply, that I'd knew of any such attack.
I'm not an expert, so I merely asked whether something is known and
whether re-recryption is recommended from a security point of view!

So I guess it is. Thanks for your help.

Sincerely,
Philippe