Subject: Re: cgd and replay
To: Pawel Jakub Dawidek <>
From: Daniel Carosone <>
List: tech-security
Date: 08/22/2005 12:38:09
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Aug 22, 2005 at 03:41:06AM +0200, Pawel Jakub Dawidek wrote:
> Then, if you have power failure, let's say, before writing sector2, but
> after sector1 you have new MACs in sector0 and old MACs in sectorN+1.

Ah yes, I did miss this; sorry.

> On read, you verify sector1 integrity based on mac(sector1) from sector0,
> then you verify sector2 against mac(sector2) from sector0 and you failed,
> so you verify it against mac(sector2) from sectorN+1. And so on.

Sure, so long as for small writes that update only a subrange of these
sectors, we do the whole (new-MACs, data blocks, old-MACs) cycle each
time to complete the transaction. =20

> For me it is safe if we assume writing single sector is atomic.

(... and that ordering is preserved and write caches are flushed, both
which can be achieved at some cost).

So, with that cleared up..

How are you preventing replay of old MAC+data+MAC groups, or of
specific data blocks and MAC entries within a group?  Either seems to
involve some extra metadata (a txn counter and MAC-sector-MAC? in the
MAC sectors or elsewhere?), with corresponding storage and transaction

How many MACs can you fit in a sector (ie, is N large enough to be
useful), especially with the above taken into account?

While your proposal is elegant for the simple case, either of these
may tip you over the edge to more complex structures.


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.1 (NetBSD)