tech-crypto archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Re: [patch] cgd

   Date: Thu, 2 Dec 2010 03:39:10 +0000
   From: "Roland C. Dowdeswell" <>

   This brings up an interesting point which is that you are effectively
   discussing that the ``protocol'' defined here is susceptible to a
   replay attack.

Yes.  What I was getting at a little more generally is that the
`protocol' is badly broken if an attacker can modify the disk.  In
other words: throw it out and recover from backups.  I ought to have
stated that outright, but instead I just said that cgd doesn't provide
authenticity or integrity.

                                      The best that you could do is
   force the attacker to have to rewind the entire disk to a previous
   state rather than simply rewinding sectors at a time or ciphertext
   blocks at a time given the constraints of the problem.  Using an
   HMAC can't completely solve this problem.

If you can force the attacker to rewind the entire disk, perhaps a
timestamp and on the disk could do the trick, if the user can remember
the last time he wrote to the disk.  However, I don't know how to
force the attacker to rewind the entire disk, at the disk layer.
(With cryptographic integrity checks in the file system, perhaps --
how's ZFS on NetBSD coming?)

Home | Main Index | Thread Index | Old Index