In a blog post I recently read called \"You Don\'t Want XTS,\" the author explai
ID: 660670 • Letter: I
Question
In a blog post I recently read called "You Don't Want XTS," the author explains some of the pitfalls of using XTS to encrypt filesystems. Specifically, he recommends against ever sharing encrypted file-based filesystems over services like Dropbox when the file-based disk is encrypted in XTS.
Since TrueCrypt offers a fairly easy way to create encrypted file-based filesystems, I've used it in the past for keeping things safe when I need to transport around a filesystem on a thumb drive or over the internet.
Seeing as dm-crypt uses AES-CBC with an ESSIV by default instead of XTS, does it fall victim to the same vulnerabilities as TrueCrypt does in XTS?
Explanation / Answer
The criticisms about XTS make sense in a context when attackers can observe successive versions of the encrypted disk (i.e. the attacker steals your laptop, makes an image of the whole disk, then puts the laptop back in your bag, and you did not notice anything; and he does it again tomorrow, and the day after tomorrow, and so on...). With XTS, every 16-byte block gets encrypted by itself, so the attacker may notice when two successive versions of the same encrypted block (the same 16-byte block within the same sector of the harddisk) contain the same data. This potentially allows for traffic analysis. If the attacker goes active, then he can put back an old version of any block, and can do so for all blocks independently.
With CBC+ESSIV, each sector has its own IV, so our recurring attacker can notice when a new version of a sector begins with the same sequence of blocks as a previous version. CBC is such that if two plaintext blocks differ at some point in a sector, the remaining blocks in that sector will diverge. In that sense, compared to XTS, the attacker's abilities for traffic analysis of CBC+ESSIV are reduced. For instance, if two versions of a given sector use the same plaintext value for the 13th block, this will be apparent with XTS, not so with CBC (unless the versions for the 12 previous sectors are also unchanged).
On the other hand, an active attacker is often happier with CBC, because he can alter bits at will within a block (provided that he does not mind replacing the previous block with uncontrollable random junk).
So no, dm-crypt does not have the exact same vulnerabilities as TrueCrypt. The envisioned scenarios (repeated eavesdropping of the same disk, hostile alterations...) are not the primary goal of full-disk encryption; really, FDE was meant for the "stolen laptop" situation, in which you don't get it back, ever. Neither solution behaves well against a more industrious attacker, but they don't fail in exactly the same ways.