Re: Re: [patch] cgd

To: "Roland C. Dowdeswell" <elric%imrryr.org@localhost>
Subject: Re: Re: [patch] cgd
From: Taylor R Campbell <campbell+netbsd%mumble.net@localhost>
Date: Thu, 2 Dec 2010 04:49:51 +0000

   Date: Thu, 2 Dec 2010 03:39:10 +0000
   From: "Roland C. Dowdeswell" <elric%imrryr.org@localhost>

   This brings up an interesting point which is that you are effectively
   discussing that the ``protocol'' defined here is susceptible to a
   replay attack.

Yes.  What I was getting at a little more generally is that the
`protocol' is badly broken if an attacker can modify the disk.  In
other words: throw it out and recover from backups.  I ought to have
stated that outright, but instead I just said that cgd doesn't provide
authenticity or integrity.

                                      The best that you could do is
   force the attacker to have to rewind the entire disk to a previous
   state rather than simply rewinding sectors at a time or ciphertext
   blocks at a time given the constraints of the problem.  Using an
   HMAC can't completely solve this problem.

If you can force the attacker to rewind the entire disk, perhaps a
timestamp and on the disk could do the trick, if the user can remember
the last time he wrote to the disk.  However, I don't know how to
force the attacker to rewind the entire disk, at the disk layer.
(With cryptographic integrity checks in the file system, perhaps --
how's ZFS on NetBSD coming?)

Follow-Ups:
- Re: Re: [patch] cgd
  - From: Roland C. Dowdeswell

References:
- Re: [patch] cgd
  - From: Roland C. Dowdeswell

Prev by Date: Re: Re: [patch] cgd
Next by Date: Re: Re: [patch] cgd
Previous by Thread: Re: [patch] cgd
Next by Thread: Re: Re: [patch] cgd
Indexes:

Home | Main Index | Thread Index | Old Index