|
| From: | phcoder |
| Subject: | Re: GRUB hardened boot framework |
| Date: | Fri, 27 Feb 2009 23:55:55 +0100 |
| User-agent: | Thunderbird 2.0.0.19 (X11/20090105) |
I'm no crypto expert, but I was under the impression that when the data is encrypted, measurement comes "for free": if someone tampered it, you'd be unable to decrypt. Is this correct?
It's not. Encryption is permutation
E_{key,sector} (P) -> C
Which permutes transforms plaintext P to ciphertext P. Without knowing
the key an attacker still can reuse the values he has already seen (e.g.
if he has an image of FS at previous date).
He can also replace the sector with anything. He can't predict to what
it will be decrypted but not to what it originally was
Additionally most current modes subdivide sectors in 16-byte blocks. And
how a block is encrypted depends on previous but not next blocks in
sector. Then if attacker knows where the authentication is he can
rewrite this place with anything. It will decrypt to garbage and with
some quite high probability it won't crash and will let the attacker in.
With XTS block encryptions depends neither on previous nor on next block
. So attacker doesn't even need the authenthication code to be at the
end of the sector.
In various CBC modes if an attacker replaces sector A with sector B
first block of sector B will decrypt to garbage but the rest will
decrypt just fine. It can be used for e.g. launching printk to output
the encryption keys.
In conclusion encryption doesn't check for modifications. Some
encryption systems do it additionally through separate mechanism but
encryption itself does no such thing
-- Regards Vladimir 'phcoder' Serbinenko
| [Prev in Thread] | Current Thread | [Next in Thread] |