[dm-devel] [PATCH] dm-crypt: disable block encryption with arc4
Mikulas Patocka
mpatocka at redhat.com
Tue Jan 26 17:11:52 UTC 2010
On Tue, 26 Jan 2010, Sebastian Andrzej Siewior wrote:
> * Mikulas Patocka | 2010-01-26 07:27:18 [-0500]:
>
> >> yes, I think it is better.
> >> (...and I just forgot to add that test to dm-crypt after that suggestion.)
> >>
> >> Milan
> >
> >Hmm, there is salsa20 that has block size 1, larger initialization
> >vectors, and can be used to encrypt disks (although salsa20 doesn't
> >currently work with dm-crypt, because it doesn't accept "ecb(), cbc(),
> >etc." chaining modes --- but if you remove the chaining mode manually, it
> >works).
> >
> >You should rather add a flag CRYPTO_ALG_CHANGES_STATE to determine that a
> >cipher can't be used to encrypt disks.
>
> Just because it will work does not make it a good idea.
>
> SALSA20 is a stream cipher not a block cipher.
> Block ciphers are used to encrypt data.
> Stream ciphers are used to create one time pads, a set of encryption
> keys, ...
> There are block modes like CTR which can turn a block cipher into a
> stream cipher. Those should not be used for disk encryption as well.
Salsa20 is unsuitable for disk encryption in most cases. It would be
suitable if we knew that the attacker can obtain the image of encrypted
device at most once --- it is OK to protect against laptop theft (it
happens just once), but it is not OK to protect against support technician
spying on your data (he can read them multiple times, if you have multiple
support requests).
Anyway, what I wanted to say, is that block_size <= 1 test is no less
hacky than !strcmp(cipher, "arc4") test.
Mikulas
More information about the dm-devel
mailing list