Subject: Re: cgd and replay
To: Roland Dowdeswell <>
From: Pawel Jakub Dawidek <>
List: tech-security
Date: 08/20/2005 20:26:37
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, May 11, 2005 at 09:57:53AM -0400, Roland Dowdeswell wrote:
+> If we did want to provide a block level integrity check, then it
+> probably makes sense to write it as a different pseudo-disk to keep
+> the complexity in a different place.  This also begs the question,
+> though, of key generation for the integrity checking.  And general
+> configuration, which I'd have to put a bit of thought into.  It
+> would be unfortunate to have to enter two separate pass phrases.

Don't worry about that, you can safely use:

	enckey =3D HMAC("enckey", userkey)
	mackey =3D HMAC("mackey", userkey)

+> The implementation could be something like:
+> 	1.  define a HMAC entity for each disk block containing:
+> 		i.    two HMACs,
+> 		ii.   the order is important: the first
+> 		      is new the second is old,
+> 	2.  munge HMAC entities into block sizes and intersperse
+> 	    the blocks within disk blocks.
+> 	3.  each write would have to:
+> 		i.    read the HMAC entity,
+> 		ii.   write a new HMAC entity with the new HMAC
+> 		      first and the old new HMAC second,
+> 		iii.  write the disk block.

This can only work when block size is equal to sector size, as we
assume, that writing only one sector is atomic.

I wouldn't be surprised, if we can safely write few sectors in an
atomic fashion. If that's true (and I'm going to find out that soon)
then it will be very easy to code:

	1. Generate random encryption key (enckey).
	2. Generate random integration key (mackey).
	3. Generate random (or use zero) IV.
	4. Encrypt 'enckey' and 'mackey' with user's key.
	5. Calculate MAC for data.
	6. Encrypt the data.
	7. Write this whole mess down.

"This whole mess" is something like:

	sector0 [encrypted enckey+encrypted mackey+IV+MAC]
	sector1..n [encrypted data]

So you write few sectors at once. I'll find out soon how
reliable it is.

Pawel Jakub Dawidek                              
FreeBSD committer                         Am I Evil? Yes, I Am!

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.1 (FreeBSD)