Re: [PATCH] Delete cryptoloop

[Marc Ballarin]

Fruhwirth Clemens <clemens-dated-1091642568.f246 <at> endorphin.org> writes:  
  
>   
> That's no exploit. Where is the exploit?  
> http://www.google.com/search?q=jargon%20exploit   
> When you're there, you can look up the term ``backdoor'' as well.   
  
We can, of course, discuss terminology, yet the problem remains the same. 
  
>   
> Probably I'm missing the point, but at the moment this looks like a  
> chosen plain text attack. As you know for sure, this is trivial. For  
> instance, AES asserts to be secure against this kind of attack. (See the  
> author's definition of K-secure..).  
  
It assures against key revovery through chosen plain text attacks. As written 
before, the purpose of this attack is not to break encryption, but to prove 
the existence of a file *known to* and *prepared by* the attacker.  
  
The exploit generates a rather simple bit pattern with a size of 1024 bytes.  
When this pattern - the watermark - is encrypted, dm-crypt's output has some  
special properties - independent of cipher or key size.  
For example, encoding nr. 1, always produces a cyphertext block, where bytes  
0-15 are equal to bytes 512-523.  
  
If you cannot believe this, please try yourself. I did so a few hours ago.  
  
On dm-crypt's mailing list, I have given a description how this can be refined  
easily to improve reliability of detection and determine a file's layout on 
the encrypted volume.  
  
Regards  
  
  
  

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/