Alex Elsayed wrote: > Christoph Anton Mitterer wrote: > >> On Mon, 2014-12-01 at 16:43 -0800, Alex Elsayed wrote: >>> including that MAC-then-encrypt is fragile >>> against a number of attacks, mainly in the padding-oracle category (See: >>> TLS BEAST attack). >> Well but here we talk about disk encryption... how would the MtE oracle >> problems apply to that? Either you're already in the system, i.e. beyond >> disk encryption (and can measure any timing difference)... or you're >> not, but then you cannot measure anything. > > Arguable. On a system with sufficiently little noise in the signal (say... > systemd, on SSD, etc) you could possibly get some real information from > corrupting padding on a relatively long extent used early in the boot > process, by measuring how it affects time-to-boot. To make this more concrete: Alice owns the computer, and has root. /etc/shadow has the correct permissions. Eve has _an_ account, but does not have root - and she wants it. For simplicity, let's presume this is a laptop, Alice and Eve are sisters, and Eve wants to peek at Alice's diary. Eve can boot into a livecd, selectively corrupt blocks, and get Alice to unlock the drive for a normal boot. With this, she can execute the padding oracle attack against /etc/shadow, and deduce its contents. The first rule of crypto is "Don't roll your own" largely because it is _brutally_ unforgiving of minor mistakes. -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
