From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from cdptpa-cmomta03.email.rr.com (cdptpa-outbound-snat.email.rr.com [107.14.166.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Wed, 13 Nov 2019 16:20:07 +0100 (CET) Message-Id: <3e97eab84e794c604a03f49ce7c66a31ca266ade@webmail> From: mgreger@cinci.rr.com Date: Wed, 13 Nov 2019 15:15:15 +0000 Content-Type: multipart/alternative; boundary="=_f39ab5d9ee095036c22ecbdd5f973d32" MIME-Version: 1.0 Subject: [dm-crypt] Two questions List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "'dm-crypt@saout.de'" --=_f39ab5d9ee095036c22ecbdd5f973d32 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable =0A=0A=091) Should it be possible to use a detached header and --integri= ty=0Aoptions to cryptsetup at the same time? When I try, I get a message= =0A'No integrity superblock detected on header.'=0A=0A=092) Are there se= curity implications of using a single detached header=0Awith multiple en= crypted volumes? =0AThanks --=_f39ab5d9ee095036c22ecbdd5f973d32 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

1) Should it be possible to use a detached he= ader and --integrity options to cryptsetup at the same time? When I try,= I get a message 'No integrity superblock detected on header.'

2)&= nbsp; Are there security implications of using a single detached header= with multiple encrypted volumes?

Thanks --=_f39ab5d9ee095036c22ecbdd5f973d32-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from pio-pvt-msa1.bahnhof.se (pio-pvt-msa1.bahnhof.se [79.136.2.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Wed, 13 Nov 2019 19:07:35 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by pio-pvt-msa1.bahnhof.se (Postfix) with ESMTP id 883B84102D for ; Wed, 13 Nov 2019 19:07:34 +0100 (CET) Received: from pio-pvt-msa1.bahnhof.se ([127.0.0.1]) by localhost (pio-pvt-msa1.bahnhof.se [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aELgjbMpPCnW for ; Wed, 13 Nov 2019 19:07:33 +0100 (CET) Received: from localhost (unknown [155.4.14.35]) (Authenticated sender: mc995404) by pio-pvt-msa1.bahnhof.se (Postfix) with ESMTPA id 24EE64102C for ; Wed, 13 Nov 2019 19:07:33 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by localhost (Postfix) with ESMTPS id A5CC82E02C4 for ; Wed, 13 Nov 2019 19:07:32 +0100 (CET) Date: Wed, 13 Nov 2019 18:07:31 +0000 From: Michael =?utf-8?B?S2rDtnJsaW5n?= Message-ID: References: <3e97eab84e794c604a03f49ce7c66a31ca266ade@webmail> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <3e97eab84e794c604a03f49ce7c66a31ca266ade@webmail> Subject: Re: [dm-crypt] Two questions List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On 13 Nov 2019 15:15 +0000, from mgreger@cinci.rr.com: > 2) Are there security implications of using a single detached header > with multiple encrypted volumes? Yes; it implies that the two volumes are encrypted using the same master key (as well as being accessible using the same set of passphrases), _and_ it makes it obvious that this is the case. Whether that's a problem _in practice_ is another matter. It's possible that in your scenario that's unproblematic, but it would be nearly impossible to tell from just a single-sentence question. For the general case, I would definitely very strongly suggest to have different headers, with different master keys, even if the passphrases are the same. -- Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?” From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from cdptpa-cmomta01.email.rr.com (cdptpa-outbound-snat.email.rr.com [107.14.166.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Wed, 13 Nov 2019 19:42:59 +0100 (CET) Message-Id: <14224469d70c38f8c34baf4e2f750d4089993ab6@webmail> From: mgreger@cinci.rr.com Date: Wed, 13 Nov 2019 18:42:55 +0000 Content-Type: multipart/alternative; boundary="=_c17c43b7c317607daf6ec3ab622fc903" MIME-Version: 1.0 Subject: Re: [dm-crypt] Two questions List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "'dm-crypt@saout.de'" --=_c17c43b7c317607daf6ec3ab622fc903 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable =0A=0A=09From Michael Kj=C3=B6rling:=0A=0A=09> Yes; it implies that the= two volumes are encrypted using the same=0Amaster key (as well as being= accessible using the same set of=0Apassphrases), _and_ it makes it obvi= ous that this is the case.=0A=0A=09(Assume any detached header is absent= )=0A=0A=09 Obvious by inspecting the raw encrypted drives? My concern is= =0Asalt/iv reuse for same sector #'s on multiple drives leading to=0Ainf= ormation leakage.=0A=0A=09For example let's say two encrypted drives wer= e mirrored. Using the=0Asame master key would make it obvious they are m= irrored, but no=0Aadditional information is leaked (other than that they= are in fact=0Acopies of each other). But more complex scenarios exist:= RAID, LVM2=0Aheaders, etc. Those other scenarios are the ones I am curi= ous about.=0A --=_c17c43b7c317607daf6ec3ab622fc903 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

From Michael Kj=C3=B6rling:

> Yes; it implies th= at the two volumes are encrypted using the same master key (as well as b= eing accessible using the same set of passphrases), _and_ it makes it ob= vious that this is the case.

(Assume any detached heade= r is absent)

Obvious by inspecting the raw encrypted drives? My c= oncern is salt/iv reuse for same sector #'s on multiple drives leading t= o information leakage.

For example let's say two encrypted drives= were mirrored. Using the same master key would make it obvious they are= mirrored, but no additional information is leaked (other than that they= are in fact copies of each other). But more complex scenarios exist: RA= ID, LVM2 headers, etc. Those other scenarios are the ones I am curious a= bout.

--=_c17c43b7c317607daf6ec3ab622fc903-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from v1.tansi.org (mail.tansi.org [84.19.178.47]) by mail.server123.net (Postfix) with ESMTP for ; Thu, 14 Nov 2019 00:16:28 +0100 (CET) Received: from gatewagner.dyndns.org (81-6-44-245.init7.net [81.6.44.245]) by v1.tansi.org (Postfix) with ESMTPA id DF0C11401E7 for ; Thu, 14 Nov 2019 00:16:18 +0100 (CET) Date: Thu, 14 Nov 2019 00:16:26 +0100 From: Arno Wagner Message-ID: <20191113231626.GA10948@tansi.org> References: <14224469d70c38f8c34baf4e2f750d4089993ab6@webmail> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <14224469d70c38f8c34baf4e2f750d4089993ab6@webmail> Subject: Re: [dm-crypt] Two questions List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On Wed, Nov 13, 2019 at 19:42:55 CET, mgreger@cinci.rr.com wrote: > From Michael Kj=F6rling: >=20 > > Yes; it implies that the two volumes are encrypted using the same > master key (as well as being accessible using the same set of > passphrases), _and_ it makes it obvious that this is the case. >=20 > (Assume any detached header is absent) >=20 > Obvious by inspecting the raw encrypted drives? My concern is salt/iv > reuse for same sector #'s on multiple drives leading to information > leakage. >=20 > For example let's say two encrypted drives were mirrored. Using the > same master key would make it obvious they are mirrored, but no > additional information is leaked (other than that they are in fact > copies of each other). But more complex scenarios exist: RAID, LVM2 > headers, etc. Those other scenarios are the ones I am curious about. You may also have sectors in filesystems that are generally the same=20 and that would be obvious.=20 The simple answer is: If you care, then do not do this. Otherwise you do not care and it is not a problem. No amount of analysis will make this go away. Regards, Arno --=20 Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of=20 "news" is "something that hardly ever happens." -- Bruce Schneier From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from cdptpa-cmomta02.email.rr.com (cdptpa-outbound-snat.email.rr.com [107.14.166.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Thu, 14 Nov 2019 03:43:42 +0100 (CET) Message-Id: <92a863b49d487b1bc8b79422a2279ae872139a88@webmail> From: mgreger@cinci.rr.com Date: Thu, 14 Nov 2019 02:43:40 +0000 Content-Type: multipart/alternative; boundary="=_3755a25e4f213508404c5199bae68ac1" MIME-Version: 1.0 Subject: Re: [dm-crypt] Two questions List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "'dm-crypt@saout.de'" --=_3755a25e4f213508404c5199bae68ac1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable >From Arno Wagner, Dr.:=0A=0A=09 > You may also have sectors in filesyste= ms that are generally the=0Asame and that would be obvious. =0A=0A=09Th= anks, that's what I was curious about.=0A=0A=09> The simple answer is: I= f you care, then do not do this.=0A=0AThat seems like good advice. --=_3755a25e4f213508404c5199bae68ac1 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable From Arno Wagner, Dr.:

=0A> You may also have secto= rs in filesystems that are generally the same

=0Aand that would be o= bvious.

Thanks, that's what I was curious about.

> The simple answer is: If you care, then do not do this.=

That seems like good advice. --=_3755a25e4f213508404c5199bae68ac1-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from cdptpa-cmomta03.email.rr.com (cdptpa-outbound-snat.email.rr.com [107.14.166.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Thu, 14 Nov 2019 03:45:55 +0100 (CET) Message-Id: <2b9d01b1e54f7441ac02e63b77fabddfa1f5f331@webmail> From: mgreger@cinci.rr.com Date: Thu, 14 Nov 2019 02:45:53 +0000 Content-Type: multipart/alternative; boundary="=_dc2361c233285a6dfd12cb5505bb5c24" MIME-Version: 1.0 Subject: Re: [dm-crypt] Two questions List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "'dm-crypt@saout.de'" --=_dc2361c233285a6dfd12cb5505bb5c24 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Any idea regarding my other question?=0A=0A=091) Should it be possible t= o use a detached header and --integrity=0Aoptions to cryptsetup at the s= ame time? When I try, I get a message=0A'No integrity superblock detecte= d on header.'=0A --=_dc2361c233285a6dfd12cb5505bb5c24 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Any idea regarding my other question?

1) &nbs= p; Should it be possible to use a detached header and --integrity option= s to cryptsetup at the same time? When I try, I get a message 'No integr= ity superblock detected on header.'

--=_dc2361c233285a6dfd12cb5505bb5c24-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Thu, 14 Nov 2019 10:22:02 +0100 (CET) References: <3e97eab84e794c604a03f49ce7c66a31ca266ade@webmail> From: Ondrej Kozina Message-ID: Date: Thu, 14 Nov 2019 10:15:41 +0100 MIME-Version: 1.0 In-Reply-To: <3e97eab84e794c604a03f49ce7c66a31ca266ade@webmail> Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Subject: Re: [dm-crypt] Two questions List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "'dm-crypt@saout.de'" Cc: mgreger@cinci.rr.com On 11/13/19 4:15 PM, mgreger@cinci.rr.com wrote: > 1)=C2=A0=C2=A0 Should it be possible to use a detached header and --integ= rity=20 > options to cryptsetup at the same time? When I try, I get a message 'No= =20 > integrity superblock detected on header.' Detached LUKS2 header with auth. encryption does not work. We should add=20 straightforward error message right in 'luksFormat' and 'open' actions.=20 (interestingly it fails in different code up to 2.0.6 and post 2.1.0,=20 but it doesn't work in either release). From my perspective it's a bug=20 that it fails so late in crypt_format() code. Right now, I'm not sure if it's only unfinished feature from userspace=20 perspective or we miss something also in kernel to make it work correctly. O. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Fri, 15 Nov 2019 11:00:39 +0100 (CET) Received: by mail-wr1-x429.google.com with SMTP id r10so10288732wrx.3 for ; Fri, 15 Nov 2019 02:00:39 -0800 (PST) References: <3e97eab84e794c604a03f49ce7c66a31ca266ade@webmail> From: Milan Broz Message-ID: <18dc5c33-f93c-d4ed-cbbc-badfc0479bb8@gmail.com> Date: Fri, 15 Nov 2019 11:00:36 +0100 MIME-Version: 1.0 In-Reply-To: <3e97eab84e794c604a03f49ce7c66a31ca266ade@webmail> Content-Type: text/plain; charset="utf-8"; format="flowed" Content-Language: en-US Content-Transfer-Encoding: 8bit Subject: Re: [dm-crypt] Two questions List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: mgreger@cinci.rr.com, "'dm-crypt@saout.de'" On 13/11/2019 16:15, mgreger@cinci.rr.com wrote: > 1) Should it be possible to use a detached header and --integrity options to cryptsetup at the same time? When I try, I get a message 'No integrity superblock detected on header.' The current design is that integrity metadata will stay on the data device (even with detached LUKS header), and these are not encrypted (encryption is not implemented, but has some support in the kernel). So with the current code, we are not going to support the detached header for authenticated encryption (integrity protection), we should fix the code to explicitly print a warning about it. (The message above is misleading.) There is still note about --integrity option being experimental, and it stays this way some time... (Maybe forever, if we find that the model that allows reply attacks on the sector level is just inadequate.) Milan