[pkg-cryptsetup-devel] Bug#612452: Bug#612452: cryptsetup: filesystem check with blkid script is not reliable
Milan Broz
mbroz at redhat.com
Sun Feb 13 14:04:32 UTC 2011
On 02/13/2011 02:10 PM, Jonas Meurer wrote:
> I'm able to reproduce this bug. Not sure what to do about it though. It
> seems like aes-cbc-plain and aes-cbc-essiv:sha256 give similar results
> for the bytes where ext filesystems store the filesystem header/stamp.
Well, I think it is expected...
- you get the same volume key in both cases, you have the same key length
and algorithm (aes256) because key is simple hashed passhprase of
the same input with the same hash (rmd160 here).
(Check with dmsetup table --showkeys.)
- the only difference is IV plain (32 sector number) vs essiv:sha256
IV is initial vector for block mode, block is here 16 bytes.
We are operating on 512B sectors, IOW every sector has different IV.
If you check how CBC mode *decryption* works
(http://en.wikipedia.org/wiki/Cipher_block_chaining#Cipher-block_chaining_.28CBC.29)
the second block does not depend directly on IV - it depends on ciphertext.
So logically if we have the same key and mode, only first block (16 bytes)
of every sector will differ, remaining 496 bytes of sector will be decrypted
the same ("correctly").
So the ext3 signature is visible but device is unusable.
(Well, maybe I had to change default hash for plain mode to sha256
from ripemd160 to avoid this but it is to late now.)
Just another reason to not use plain mode with hashed passphrase as key but
use LUKS (where key is always generated from RNG).
Milan
More information about the pkg-cryptsetup-devel
mailing list