Re: On-Disk Encryption and Data Integrity



Hi Kristian,

On Jan 27, 2:42 am, Kristian Gjøsteen <kristiag+n...@xxxxxxxxxxxx>
wrote:
Jeffrey Walton  <noloa...@xxxxxxxxx> wrote:

This question is very similar, but the threat model is slightly
different. Suppose I store encrypted data on disk. I believe I can
persist E( m || h(m) ). I think this is appropriate since on-disk
suffers from fewer threats than over the air. Is this correct? Or
should I punt and use a MAC (I think a Digital Signature would not be
required since it is a stronger primitive providing non-repudiation).
The downside of a MAC is that I must make to passes over the data
(i.e., the message) with the block cipher - one for the MAC, the
second for the Encrpytion. So I would prefer to use a unkeyed hash.

I'd use an authenticating mode of encryption such as CCM or GCM.

Alternatively, you can use dedicated disk encryption modes like EME, that
are non-expanding. Note that they provide different security properties
than CCM or GCM do.
Perverted on Super Bowl Sunday in the United States, but I was reading
NIST's SP 800-38D (GCM mode). It seems GCM is probably not well suited
for file encryption and most likely not suited for whole disk
encryption (where a typical Microsoft installation is gigabytes). From
Authentication Assurance, page 26:

As with any tag-based authentication mechanism, if the
adversary chooses a t-bit tag at random, it is expected
to be correct for given data with probability 1/2**t.
With GCM, however, an adversary can choose tags that
increase this probability, proportional to the total
length of the ciphertext and AAD. Consequently, GCM is
not well-suited for use with short tag lengths or
very long messages.

To prevent cut-and-paste attacks, you should include the sector address
in the authenticated data (you don't need to store it, of course).

Nontheless, these modes will be subject to sector replay attacks.
If you _really_ need integrity for the entire disk image, then you may
need hash trees or other somewhat expensive constructions.

Jeff

.



Relevant Pages

  • Attack Scenarios against PGPs Whole Disk Encryption (WDE)
    ... Attack Scenarios against PGP's Whole Disk Encryption ... PGP's Whole Disk Encryption for Microsoft Windows encrypts all the ... As long as standard PC hardware and BIOS is used, the boot code of the disk ...
    (comp.security.pgp.tech)
  • RE: [Full-Disclosure] harddisk encryption
    ... If the encryptor encrypts your boot disk, it has to be involved early in the ... boot process and may be broken by anything that changes the system boot sequence. ... normally when the encryption keys had been entered. ... registry controls that allow the swap file to be wiped on shutdown. ...
    (Full-Disclosure)
  • RE: [Full-Disclosure] harddisk encryption
    ... > boot process and may be broken by anything that changes the system boot ... In the event of disk crash or emergency, unless a tool is provided to ... > i'm evaluating a software that performs harddisk encryption for deploying ...
    (Full-Disclosure)
  • Cryptic Disk Ultimate Edition 3.0.27.543
    ... Cryptic Disk creates virtual encrypted disks and ... Cryptic Disk ... Only Ultimate Edition allows users to increase the encryption key size ... increases the protection for encrypted data against being cracked. ...
    (comp.software.shareware.announce)
  • Re: On the Recent PGP and Truecrypt Posting
    ... changing the passphrase would lock out prior users. ... Clearly a users with a backup copy of an encrypted disk for which they ... clear that real world users actually understand the need to re-encrypt ... You will also also see the architecture extend to some *very* cool storage encryption very soon. ...
    (Bugtraq)