undefined | Better HN

0 pointsPerseids11y ago0 comments

> You can’t authenticate the data. Authenticating every sector is too expensive. Try to (painfully) authenticate the whole disk and any disk error trashes the disk. Maybe your users enjoy exciting games of chance? Authenticate arbitrary groups of sectors and you can play Russian Roulette with your files. (http://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/)

Out of interest: Doesn't the use of error detecting filesystems like ZFS and Btrfs solve the authentication problem? I don't have anything resembling a formal argument, but intuitively having each block checked in a Merkle tree like fashion should inhibit attacks where attackers can only change blocks in a random manner or restore old backups of the blocks. Of course time traveling - i.e. replaying - the file system as whole is still possible, but selectively manipulating the data should not.

0 comments

tptacek11y ago

It would probably make the exploit harder (unless the exploit targets the filesystem code itself), but there are almost always subtle gaps between "breaking the exploit" and "fixing the vulnerability". This is a fun question to dig into, though.

This is also very similar to the tactic of using an encrypted message digest in place of a MAC. The whole point of a MAC is that it can't be calculated without the secret that provides its security, and so schemes that use digests instead are (a) harder to attack than systems that do nothing and (b) still broken.

alcari11y ago

The ZFS crypto implementation (which isn't really available outside Oracle's Solaris) uses AES-GCM, which solves the authentication problem.

tptacek11y ago

If you have filesystem encryption, block-level encryption is probably unnecessary. Filesystem encryption is in most ways superior to block-level crypto.

undefined011y ago

Do you know of any software (maybe it's possible with Truecrypt?) to have full disk encryption with a hidden volume for Linux? I remember Truecrypt only worked on Windows with this feature. As Windows can auto-update your computer even when you disable it in the settings, I wouldn't want to use it.

YAYERKA11y ago

The comparisons between filesystem-level vs. block-level encryption that I've encountered usually make a common distinction; namely that file metadata is still present when only applying fs-level encryption. What are some attributes of fs-level encryption that would make it a superior choice over block-level?

1 more reply

j / k navigate · click thread line to collapse

0 pointsPerseids11y ago0 comments

0 comments

tptacek11y ago

alcari11y ago

The ZFS crypto implementation (which isn't really available outside Oracle's Solaris) uses AES-GCM, which solves the authentication problem.

tptacek11y ago

If you have filesystem encryption, block-level encryption is probably unnecessary. Filesystem encryption is in most ways superior to block-level crypto.

undefined011y ago

YAYERKA11y ago

1 more reply

j / k navigate · click thread line to collapse