Watermarking attack
Encyclopedia
In cryptography, a watermarking attack is an attack on disk encryption
methods where the presence of a specially crafted piece of data (e.g., a decoy
file) can be detected by an attacker without knowing the encryption key
.
s which are individually encrypted and decrypted. These 512-byte sectors alone can use any block cipher mode of operation (typically CBC), but since arbitrary sectors in the middle of the disk need to be accessible individually, they cannot depend on the contents of their preceding/succeeding sectors. Thus, with CBC, each sector has to have its own initialization vector
(IV). If these IVs are predictable by an attacker (and the filesystem reliably starts file content at the same offset to the start of each sector, and files are likely to be largely contiguous), then there is a chosen plaintext attack which can reveal the existence of encrypted data, as follows. A special plaintext file is created and encrypted with the encryption method under attack, such that the first ciphertext block following the IV in two or more different (perhaps adjacent) sectors is identical. Doing this requires that plaintext block 1 XOR IV 1 is identical to plaintext block 2 XOR IV 2, thus that plaintext block 1 XOR plaintext block 2 is identical to IV 1 XOR IV 2. The ciphertext block patterns generated in this way can give away the existence of the file, without any need for the disk to be decrypted first.
The problem is analogous to that of using block ciphers in the electronic codebook (ECB) mode, but instead of whole blocks, only the first block in different sectors are identical.
This weakness affected many disk encryption
programs, including older versions of BestCrypt
as well as the now-deprecated cryptoloop
.
The problem can be relatively easily eliminated by making the IVs unpredictable with, for example, ESSIV. Alternatively, one can use modes of operation specifically designed for disk encryption (see disk encryption theory).
Disk encryption
Disk encryption is a special case of data at rest protection when the storage media is a sector-addressable device . This article presents cryptographic aspects of the problem...
methods where the presence of a specially crafted piece of data (e.g., a decoy
Decoy
A decoy is usually a person, device or event meant as a distraction, to conceal what an individual or a group might be looking for. Decoys have been used for centuries most notably in game hunting, but also in wartime and in the committing or resolving of crimes.-Duck decoy:The term duck decoy may...
file) can be detected by an attacker without knowing the encryption key
Key (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...
.
Problem description
Disk encryption suites generally operate on data in 512-byte sectorCylinder-head-sector
Cylinder-head-sector, also known as CHS, was an early method for giving addresses to each physical block of data on a hard disk drive. In the case of floppy drives, for which the same exact diskette medium can be truly low-level formatted to different capacities, this is still true.Though CHS...
s which are individually encrypted and decrypted. These 512-byte sectors alone can use any block cipher mode of operation (typically CBC), but since arbitrary sectors in the middle of the disk need to be accessible individually, they cannot depend on the contents of their preceding/succeeding sectors. Thus, with CBC, each sector has to have its own initialization vector
Initialization vector
In cryptography, an initialization vector is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom...
(IV). If these IVs are predictable by an attacker (and the filesystem reliably starts file content at the same offset to the start of each sector, and files are likely to be largely contiguous), then there is a chosen plaintext attack which can reveal the existence of encrypted data, as follows. A special plaintext file is created and encrypted with the encryption method under attack, such that the first ciphertext block following the IV in two or more different (perhaps adjacent) sectors is identical. Doing this requires that plaintext block 1 XOR IV 1 is identical to plaintext block 2 XOR IV 2, thus that plaintext block 1 XOR plaintext block 2 is identical to IV 1 XOR IV 2. The ciphertext block patterns generated in this way can give away the existence of the file, without any need for the disk to be decrypted first.
The problem is analogous to that of using block ciphers in the electronic codebook (ECB) mode, but instead of whole blocks, only the first block in different sectors are identical.
This weakness affected many disk encryption
Disk encryption
Disk encryption is a special case of data at rest protection when the storage media is a sector-addressable device . This article presents cryptographic aspects of the problem...
programs, including older versions of BestCrypt
BestCrypt
BestCrypt is a commercial disk encryption program for Windows and Linux, developed by Jetico.-Features:* BestCrypt can create and mount an encrypted virtual drive using AES, Blowfish, Twofish, CAST, and various other encryption methods...
as well as the now-deprecated cryptoloop
Cryptoloop
Cryptoloop is a disk encryption module for Linux which relies on the Crypto API in the 2.6 Linux kernel series. It was first introduced in the 2.5.x kernel series...
.
The problem can be relatively easily eliminated by making the IVs unpredictable with, for example, ESSIV. Alternatively, one can use modes of operation specifically designed for disk encryption (see disk encryption theory).
See also
- Disk encryption theory
- Initialization vectorInitialization vectorIn cryptography, an initialization vector is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom...
- Block cipher modes of operationBlock cipher modes of operationIn cryptography, modes of operation is the procedure of enabling the repeated and secure use of a block cipher under a single key.A block cipher by itself allows encryption only of a single data block of the cipher's block length. When targeting a variable-length message, the data must first be...
- WatermarkWatermarkA watermark is a recognizable image or pattern in paper that appears as various shades of lightness/darkness when viewed by transmitted light , caused by thickness or density variations in the paper...