[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Re: [patch] cgd
Date: Thu, 2 Dec 2010 03:39:10 +0000
From: "Roland C. Dowdeswell" <elric%imrryr.org@localhost>
This brings up an interesting point which is that you are effectively
discussing that the ``protocol'' defined here is susceptible to a
Yes. What I was getting at a little more generally is that the
`protocol' is badly broken if an attacker can modify the disk. In
other words: throw it out and recover from backups. I ought to have
stated that outright, but instead I just said that cgd doesn't provide
authenticity or integrity.
The best that you could do is
force the attacker to have to rewind the entire disk to a previous
state rather than simply rewinding sectors at a time or ciphertext
blocks at a time given the constraints of the problem. Using an
HMAC can't completely solve this problem.
If you can force the attacker to rewind the entire disk, perhaps a
timestamp and on the disk could do the trick, if the user can remember
the last time he wrote to the disk. However, I don't know how to
force the attacker to rewind the entire disk, at the disk layer.
(With cryptographic integrity checks in the file system, perhaps --
how's ZFS on NetBSD coming?)
Main Index |
Thread Index |