[dm-crypt] Two questions

[dm-crypt] Two questions

[mgreger]

[-- Attachment #1: Type: text/plain, Size: 304 bytes --]



	1) Should it be possible to use a detached header and --integrity
options to cryptsetup at the same time? When I try, I get a message
'No integrity superblock detected on header.'

	2) Are there security implications of using a single detached header
with multiple encrypted volumes? 
Thanks

[-- Attachment #2: Type: text/html, Size: 351 bytes --]

Re: [dm-crypt] Two questions

[Michael Kjörling]

On 13 Nov 2019 15:15 +0000, from mgreger@cinci.rr.com:
> 	2) Are there security implications of using a single detached header
> with multiple encrypted volumes? 

Yes; it implies that the two volumes are encrypted using the same
master key (as well as being accessible using the same set of
passphrases), _and_ it makes it obvious that this is the case.

Whether that's a problem _in practice_ is another matter. It's
possible that in your scenario that's unproblematic, but it would be
nearly impossible to tell from just a single-sentence question.

For the general case, I would definitely very strongly suggest to have
different headers, with different master keys, even if the passphrases
are the same.

-- 
Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se
 “Remember when, on the Internet, nobody cared that you were a dog?”

Re: [dm-crypt] Two questions

[Ondrej Kozina]

On 11/13/19 4:15 PM, mgreger@cinci.rr.com wrote:
> 1)   Should it be possible to use a detached header and --integrity 
> options to cryptsetup at the same time? When I try, I get a message 'No 
> integrity superblock detected on header.'

Detached LUKS2 header with auth. encryption does not work. We should add 
straightforward error message right in 'luksFormat' and 'open' actions. 
(interestingly it fails in different code up to 2.0.6 and post 2.1.0, 
but it doesn't work in either release). From my perspective it's a bug 
that it fails so late in crypt_format() code.

Right now, I'm not sure if it's only unfinished feature from userspace 
perspective or we miss something also in kernel to make it work correctly.

O.

Re: [dm-crypt] Two questions

[Milan Broz]

On 13/11/2019 16:15, mgreger@cinci.rr.com wrote:
> 1)   Should it be possible to use a detached header and --integrity options to cryptsetup at the same time? When I try, I get a message 'No integrity superblock detected on header.'

The current design is that integrity metadata will stay on the data device (even with detached LUKS header), and these are not encrypted (encryption is not implemented, but has some support in the kernel).

So with the current code, we are not going to support the detached header for authenticated encryption (integrity protection), we should fix the code to explicitly print a warning about it. (The message above is misleading.)

There is still note about --integrity option being experimental, and it stays this way some time...
(Maybe forever, if we find that the model that allows reply attacks on the sector level is just inadequate.)

Milan

Re: [dm-crypt] Two questions

[mgreger]

[-- Attachment #1: Type: text/plain, Size: 772 bytes --]



	From Michael Kjörling:

	> Yes; it implies that the two volumes are encrypted using the same
master key (as well as being accessible using the same set of
passphrases), _and_ it makes it obvious that this is the case.

	(Assume any detached header is absent)

	 Obvious by inspecting the raw encrypted drives? My concern is
salt/iv reuse for same sector #'s on multiple drives leading to
information leakage.

	For example let's say two encrypted drives were mirrored. Using the
same master key would make it obvious they are mirrored, but no
additional information is leaked (other than that they are in fact
copies of each other). But more complex scenarios exist: RAID, LVM2
headers, etc. Those other scenarios are the ones I am curious about.


[-- Attachment #2: Type: text/html, Size: 955 bytes --]

Re: [dm-crypt] Two questions

[Arno Wagner]

On Wed, Nov 13, 2019 at 19:42:55 CET, mgreger@cinci.rr.com wrote:
>    From Michael Kjörling:
> 
>    > Yes; it implies that the two volumes are encrypted using the same
>    master key (as well as being accessible using the same set of
>    passphrases), _and_ it makes it obvious that this is the case.
> 
>    (Assume any detached header is absent)
> 
>    Obvious by inspecting the raw encrypted drives? My concern is salt/iv
>    reuse for same sector #'s on multiple drives leading to information
>    leakage.
> 
>    For example let's say two encrypted drives were mirrored. Using the
>    same master key would make it obvious they are mirrored, but no
>    additional information is leaked (other than that they are in fact
>    copies of each other). But more complex scenarios exist: RAID, LVM2
>    headers, etc. Those other scenarios are the ones I am curious about.

You may also have sectors in filesystems that are generally the same 
and that would be obvious. 

The simple answer is: If you care, then do not do this. Otherwise
you do not care and it is not a problem. No amount of analysis will
make this go away.

Regards,
Arno

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: [dm-crypt] Two questions

[mgreger]

[-- Attachment #1: Type: text/plain, Size: 269 bytes --]

From Arno Wagner, Dr.:

	 > You may also have sectors in filesystems that are generally the
same  and that would be obvious. 

	Thanks, that's what I was curious about.

	> The simple answer is: If you care, then do not do this.

That seems like good advice.

[-- Attachment #2: Type: text/html, Size: 478 bytes --]

Re: [dm-crypt] Two questions

[mgreger]

[-- Attachment #1: Type: text/plain, Size: 227 bytes --]

Any idea regarding my other question?

	1) Should it be possible to use a detached header and --integrity
options to cryptsetup at the same time? When I try, I get a message
'No integrity superblock detected on header.'


[-- Attachment #2: Type: text/html, Size: 275 bytes --]