In cryptography, a watermarking attack is an attack on disk encryption methods where the presence of a specially crafted piece of data can be detected by an attacker without knowing the encryption key.
Problem descriptionedit
Disk encryption suites generally operate on data in 512-byte sectors which are individually encrypted and decrypted. These 512-byte sectors alone can use any block cipher mode of operation (typically CBC), but since arbitrary sectors in the middle of the disk need to be accessible individually, they cannot depend on the contents of their preceding/succeeding sectors. Thus, with CBC, each sector has to have its own initialization vector (IV). If these IVs are predictable by an attacker (and the filesystem reliably starts file content at the same offset to the start of each sector, and files are likely to be largely contiguous), then there is a chosen plaintext attack which can reveal the existence of encrypted data.
The problem is analogous to that of using block ciphers in the electronic codebook (ECB) mode, but instead of whole blocks, only the first block in different sectors are identical. The problem can be relatively easily eliminated by making the IVs unpredictable with, for example, ESSIV.[1]
Alternatively, one can use modes of operation specifically designed for disk encryption (see disk encryption theory). This weakness affected many disk encryption programs, including older versions of BestCrypt[2] as well as the now-deprecated cryptoloop.[3]
To carry out the attack, a specially crafted plaintext file is created for encryption in the system under attack, to "NOP-out" the IV[4] such that the first ciphertext block in two or more sectors is identical. This requires that the input to the cipher (plaintext, , XOR initialisation vector, ) for each block must be the same; i.e., . Thus, we must choose plaintexts, such that .
The ciphertext block patterns generated in this way give away the existence of the file, without any need for the disk to be decrypted first.
^ Fruhwirth, Clemens. "Linux hard disk encryption settings". Retrieved 2006-01-02.
^ Chiriliuc, Adal (2003-10-23). "BestCrypt IV generation flaw". Retrieved 2023-05-21.
^ Saarinen, Markku-Juhani O. (2004-02-19). "Linux for the Information Smuggler". Helsinki University of Technology. CiteSeerX10.1.1.117.4062. Retrieved 2006-10-01.
^ Markus Gattol. "Redundancy, the Watermarking Attack and its Countermeasures".
April 13, 2024
watermarking, attack, cryptography, watermarking, attack, attack, disk, encryption, methods, where, presence, specially, crafted, piece, data, detected, attacker, without, knowing, encryption, problem, description, editdisk, encryption, suites, generally, oper. In cryptography a watermarking attack is an attack on disk encryption methods where the presence of a specially crafted piece of data can be detected by an attacker without knowing the encryption key Problem description editDisk encryption suites generally operate on data in 512 byte sectors which are individually encrypted and decrypted These 512 byte sectors alone can use any block cipher mode of operation typically CBC but since arbitrary sectors in the middle of the disk need to be accessible individually they cannot depend on the contents of their preceding succeeding sectors Thus with CBC each sector has to have its own initialization vector IV If these IVs are predictable by an attacker and the filesystem reliably starts file content at the same offset to the start of each sector and files are likely to be largely contiguous then there is a chosen plaintext attack which can reveal the existence of encrypted data The problem is analogous to that of using block ciphers in the electronic codebook ECB mode but instead of whole blocks only the first block in different sectors are identical The problem can be relatively easily eliminated by making the IVs unpredictable with for example ESSIV 1 Alternatively one can use modes of operation specifically designed for disk encryption see disk encryption theory This weakness affected many disk encryption programs including older versions of BestCrypt 2 as well as the now deprecated cryptoloop 3 To carry out the attack a specially crafted plaintext file is created for encryption in the system under attack to NOP out the IV 4 such that the first ciphertext block in two or more sectors is identical This requires that the input to the cipher plaintext P displaystyle scriptstyle P nbsp XOR initialisation vector IV displaystyle scriptstyle IV nbsp for each block must be the same i e P1 IV1 P2 IV2 displaystyle scriptstyle P 1 oplus IV 1 P 2 oplus IV 2 nbsp Thus we must choose plaintexts P1 P2 displaystyle scriptstyle P 1 P 2 nbsp such that P1 P2 IV1 IV2 displaystyle scriptstyle P 1 oplus P 2 IV 1 oplus IV 2 nbsp The ciphertext block patterns generated in this way give away the existence of the file without any need for the disk to be decrypted first See also editDisk encryption theory Initialization vector Block cipher modes of operation WatermarkReferences edit Fruhwirth Clemens Linux hard disk encryption settings Retrieved 2006 01 02 Chiriliuc Adal 2003 10 23 BestCrypt IV generation flaw Retrieved 2023 05 21 Saarinen Markku Juhani O 2004 02 19 Linux for the Information Smuggler Helsinki University of Technology CiteSeerX 10 1 1 117 4062 Retrieved 2006 10 01 Markus Gattol Redundancy the Watermarking Attack and its Countermeasures Retrieved from https en wikipedia org w index php title Watermarking attack amp oldid 1211228532, wikipedia, wiki, book, books, library,
