Re: [PATCH 1/4] dm-crypt: clarify cipher vs. cipher mode

Max Vozeler <max@xxxxxxxxxxxxx> · Wed, 13 Jan 2010 18:27:15 +0100

Hi Richard,

On Mon, Jan 11, 2010 at 10:28:39PM +0100, Richard Zidlicky wrote:
> On Mon, Jan 04, 2010 at 04:25:42PM +0100, Max Vozeler wrote:
> > +
> > +These modes have two main characteristics compared to regular CBC
> > +with sector IV. The first is implemented in dm-crypt, the second
> > +is implemented in the lmk2 and lmk3 blkciphers.
> 
> the formulation is not very clear. Possibly better wording -
> 
> + There are two main differences distinguishing the lmk2 and lmk3 modes 
> + from the blok cipher implemented in dm-crypt:

I reworked this part in the new version below.

> > +1) Use of 64 independent keys which are alternatingly applied to
> > +different sectors.
> > +
> > +  key = keys[sectornum % 64]
> 
> not really "alternating" when there is more than 2, my try
> "different sectors are encrypted with 64 independent keys selected by the
> following rule"
> +  key = keys[sectornum % 64]

Good point, thanks.

> > +2) IV derivation from an MD5 digest of the sector number, parts
> > +of the plaintext data and a mode specific format constant. The
> > +multi-key-v3 mode additionally uses a 128-bit IV seed.
> 
> slightly rephrased:
> 
> +2) IVs are derived from an MD5 digest of the sector number, parts
> +of the plaintext data and a mode specific format constant. The
> +multi-key-v3 mode additionally uses a 128-bit IV seed.

Agreed. I included your rephrasing.

> > +  v2IV = MD5(plaintext[16..511] ||
> > +  	     truncated-sector-number ||
> > +	     format-magic)
> > +
> > +  v3IV = MD5(ivseed ||
> > +	     plaintext[16..511] ||
> > +  	     truncated-sector-number ||
> > +	     format-magic)
> 
> that seems different than what is described here -
>  http://mail.nl.linux.org/linux-crypto/2006-01/msg00006.html
> 
> so is it compatible after all? Or where is format-magic' equivalent
> hidden in Jari's description?

The format-magic is not mentioned in Jari's description, but
is indeed used by Loop-AES.

Compare loop-AES-v3.2h/glue.c:402:

  /* 4024 bits == 31 * 128 bit plaintext blocks + 56 bits of sector number */
  /* For version 3 on-disk format this really should be 4536 bits, but can't be */
  /* changed without breaking compatibility. V3 uses MD5-with-wrong-length IV */
  buf[14] = 4024;
  buf[15] = 0;

> > +The format-magic for both modes is fixed at the value 4024
> > +encoded as 32-bit little endian.
> 
> I am not familiar with this detail and the description does not make it
> completely clear, it appears to refer to some magic value of the on disk 
> representation?

The magic is only used as an additional input to the MD5 digest 
as part of the IV derivation.

Changed the description to hopefully clarify this.

> > +Encryption:
> > +
> > +  IV = IVFUNC(optional-ivseed,
> > +  	   plaintext[16..511],
> > +  	   truncated-sector-number,
> > +	   format-magic)
> 
> optional first argument in formalism makes it hard to relate to above decriptions.
> So maybe introduce IVFUNC where you describe them above, including ivseed which is
> simply unused in one variant.
>
> > +  ciphertext[0..511] = CBC-ENCRYPT(key, IV, plaintext[0..511])
> 
> I know that key=key_table[sector_number & 63] is mentioned further above but
> might be "too far back" for many readers as it is one of the things that are 
> special about this encryption modes.

Agreed on both points. Could you have a look and see if you
find it clearer now in the new version?

Thanks a lot for your comments,

	Max