tech-crypto archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [patch] cgd

On Sat, Nov 27, 2010 at 02:40:11AM +0000, Taylor R Campbell wrote:

From the documentation in your patch:

     if an attacker reverts the ciphertext of a disk block to an
     old version, the plaintext will be reverted to the old version,
     and the cgd will not detect this.

This brings up an interesting point which is that you are effectively
discussing that the ``protocol'' defined here is susceptible to a
replay attack.  The structure of CGD allows the replays to be quite
small, i.e. a single ciphertext block at the cost of randomising
the following ciphertext block, but in the largest sense, I'm not
sure that it is actually possible to stop someone from rewinding
an encrypted disk to some degree.  The best that you could do is
force the attacker to have to rewind the entire disk to a previous
state rather than simply rewinding sectors at a time or ciphertext
blocks at a time given the constraints of the problem.  Using an
HMAC can't completely solve this problem.

    Roland Dowdeswell                      http://Imrryr.ORG/~elric/

Home | Main Index | Thread Index | Old Index