[ I agree it is not a backdoor since it requires a dictionnary attack. ]
> Secondly, this does nothing at all for the attacker who wants to crack a
> single encrypted filesystem.
That's not true. This weakness allows to precompute the table without
more knowledge of the targeted system. At this point, the part of
the exploit that require access to the crypto-loop device can be carried
out very quickly.
The second problem: if someone is able to have a quick access to the
device, he just need to read a known plain-text sector. With that
knowledge he can try a dictionnary attack to recover the password without
Suppose you keep password-less SSH keys on a crypto-loop on a USB stick:
with the attack above, the crypto-loop will be broken in before you notice
the USB stick was stolen so you may not have time to disabled them before
they get used.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds