Re: On-Disk Encryption and Data Integrity

Hi Kristian,

On Jan 27, 2:42 am, Kristian Gjøsteen <kristiag+n...@xxxxxxxxxxxx>
wrote:
Jeffrey Walton  <noloa...@xxxxxxxxx> wrote:

This question is very similar, but the threat model is slightly
different. Suppose I store encrypted data on disk. I believe I can
persist E( m || h(m) ). I think this is appropriate since on-disk
suffers from fewer threats than over the air. Is this correct? Or
should I punt and use a MAC (I think a Digital Signature would not be
required since it is a stronger primitive providing non-repudiation).
The downside of a MAC is that I must make to passes over the data
(i.e., the message) with the block cipher - one for the MAC, the
second for the Encrpytion. So I would prefer to use a unkeyed hash.

I'd use an authenticating mode of encryption such as CCM or GCM.
I'd like to use CCM, but neither Crypto++ or the Windows Crypto API
(CAPI) offer it.


Alternatively, you can use dedicated disk encryption modes like EME, that
are non-expanding. Note that they provide different security properties
than CCM or GCM do.

To prevent cut-and-paste attacks, you should include the sector address
in the authenticated data (you don't need to store it, of course).
Unfortunately, I cannot expect to have raw access to the disk. But I
do have protected storage for the keys.


Nontheless, these modes will be subject to sector replay attacks.
If you _really_ need integrity for the entire disk image, then you may
need hash trees or other somewhat expensive constructions.
No need for full disk encryption - for this example, one text file
(consuming less than one sector) is my premise.

Jeff
.

Relevant Pages

  • Re: Data authentication for geli(8) committed to HEAD.
    ... When configuring geli encryption on the drive, ... +> disk, which will be accomplished by writes of 512 bytes. ... +> crashes in between (I'm not talking about power failures), ... +> several blocks of inodes on a 4096 byte sector geli mount. ...
    (freebsd-current)
  • Attack Scenarios against PGPs Whole Disk Encryption (WDE)
    ... Attack Scenarios against PGP's Whole Disk Encryption ... PGP's Whole Disk Encryption for Microsoft Windows encrypts all the ... As long as standard PC hardware and BIOS is used, the boot code of the disk ...
    (comp.security.pgp.tech)
  • Re: Securing ARC4
    ... ultra-fast compression and encryption at the ... Since it's using very fast LZO encryption ... better speed, less disk space, some data protection. ... so that you can randomly access each sector. ...
    (sci.crypt)
  • Re: On-Disk Encryption and Data Integrity
    ... Suppose I store encrypted data on disk. ... The downside of a MAC is that I must make to passes over the data ... I'd use an authenticating mode of encryption such as CCM or GCM. ...
    (sci.crypt)
  • RE: [Full-Disclosure] harddisk encryption
    ... If the encryptor encrypts your boot disk, it has to be involved early in the ... boot process and may be broken by anything that changes the system boot sequence. ... normally when the encryption keys had been entered. ... registry controls that allow the swap file to be wiped on shutdown. ...
    (Full-Disclosure)
Loading