RFC: backporting GEOM to the 4.x branch
ALeine
aleine at austrosearch.net
Fri Feb 4 01:16:05 PST 2005
df at xxxxxx wrote:
> Wouldn't be easier porting cgd* from NetBSD ?
>
> * http://www.netbsd.org/guide/en/chap-cgd.html
Perhaps, but I believe GBDE to be superior to CGD for a number
of reasons, one of the most important being that with GBDE you
can change the passphrase without re-encrypting the entire disk,
which is not the case with CGD, AFAIK. From Poul-Henning Kamp's
paper on GBDE:
http://phk.freebsd.dk/pubs/bsdcon-03.gbde.paper.pdf
Several implementations have been produced which implement
a disk encryption feature by running the user provided
passphrase through a good quality one-way hash function
and used the output as a key to encrypt all the sectors
using a standard block cipher in CBC mode. A per sector IV
for the encryption is typically derived from the passphrase
and sector address using a one-way hash function. Two
typical examples are [CGD] and [LOOPAES].
Unfortunately this approach suffers from a number of
significant drawbacks, both in terms of cryptographic
strength and deployability.
For data to stay protected for decades or even lifetimes,
sufficient margin must exist not only for technological
advances in brute force technology, but also for theoretical
advances in cryptoanalytical attacks on the algorithms used.
Protecting a modern disk, typically having a few hundred
millions of sectors, with the same single 128 or 256 bits
of key material offers an incredibly large amount of data
for statistical, differential or probabilistic attacks in
the future.
Worse, because the sectors contain file system or database
data and meta data which are optimised for speed, the
plaintext sector data typically have both a high degree of
structure and a high predictability, offering ample
opportunities for statistical and known plaintext attacks.
This author would certainly not trust data so protected
to be kept secret for more than maybe five or ten years
against a determined attacker.
But far more damning to this method is that there can
only be one single passphrase for the disk. This effectively
rules out the ability for an organisation to implement any
kind of per-user or multilevel key management scheme: the
only possible scheme is ‘‘one key per disk’’.
Add to this that to change the passphrase the entire disk
would have to be decrypted and re-encrypted, and we
have a model which may work in theory, and can be
made to work in practice for a determined individual,
but which would fast become an operational liability
for any organisation.
ALeine
P.S.: Please CC me when you reply, I am not subscribed.
___________________________________________________________________
WebMail FREE http://mail.austrosearch.net
More information about the Kernel
mailing list