LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

A weak cryptoloop implementation in Linux?

A weak cryptoloop implementation in Linux?

Posted Jan 23, 2004 20:52 UTC (Fri) by Ross (subscriber, #4065)
In reply to: A weak cryptoloop implementation in Linux? by spudbeach
Parent article: A weak cryptoloop implementation in Linux?

Wouldn't that cause severe problem for a random-access read/write block
device? A change to a block would require reading, decrypting,
reencrypting, and finally re-writing every block that came after it!

(Log in to post comments)

A weak cryptoloop implementation in Linux?

Posted Oct 5, 2005 18:05 UTC (Wed) by kokopelli (guest, #11341) [Link]

You always have to read and write a complete disk page. Each page should be handled independently for various reasons. The only information that should "leak" into the encryption process is the absolute or relative block offset - as others mentioned it's used to set up a different 'initialization vector' for each page. (Global or per-page salt would also end up in the IV.)

Block ciphers will typically encrypt 8 to 32 bytes as a unit. If they're run independently you get a 'codebook' cipher - vulnerable to known-text attack anywhere within the disk page. If they're chained you're only vulnerable for the first cipher block of each page. There's no real cost to chaining as long as it doesn't extend beyond the disk page.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds