Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

? What's wrong with CTR? CTR is basically an OTP. Being OTP, encryption and decryption are basically the same construction (thank you XOR).

    cipherblockdata = blockcipher(key, nonce . block #) ^ plainblockdata
    plainblockdata = blockcipher(key, nonce . block #) ^ cipherblockdata
If MAC is needed, that can happen after encrypting, before decrypting. (Needed if bytes traverse network, but maybe not for local disk or file encryption unless.)

Edit fixed my maths:



It's explained pretty well in the article. Basically with CTR using the block # as the nonce you break the security assumptions of a nonce (use only once). If the cryptofunc is static, and you are editing a document in place, an attacker can see exactly which bytes changed and do other statistical attacks.

Think about a file that you preallocate with NULLs. If you get an image of the disk before you write to the file and then an image once you write to the file, you can simply XOR the before and after to get the ciphertext.

e.g.

  using block 100
  cipherblock_before = cryptofunc(100) ^ 0x00 = cryptofunc(100)
  cipherblock_after = cryptofunc(100) ^ data
  cipherblock_after ^ cipherblock_before = data


Yes, it's a known weakness. You have to rekey every X blocks.


No, rekeying does not solve that problem, not to mention which you've just handwaved a hard problem (varying the key over different sectors). That's doable (though it again doesn't fix the problem with your proposal), but the resulting mode isn't CTR.


Yes it does, and it's still CTR.

Further, every solution is going to have other machinery solving specific concerns.

You don't call XTS something else because you've used scrypt or PBKDF2 as the PBKDF.

Work is work.


This is a sequence of non-sequiturs, none of which respond to my comment. I'll make it easier for you:

Propose a scheme whereby you use AES-CTR to encrypt a 100 megabyte disk of 512-byte sectors, whereby the scheme "rekeys" every "few sectors". Be specific.


Don't need your "help," don't care.

"It's unreasonable to debate with an unreasonable person."

Bye.


CTR is not a one-time pad. Read the article: it discusses using CTR for disk encryption.


Pretty hilariously wrong, and you know it.

Supposed OTP constructions are defined as

e(i) == E(...) ^ m(i)

m(i) == D(...) ^ e(i)

where E(...) = D(...)

and where ... doesnt contain any of the following

e(j) for any j

m(k) for any k

j and k in same domain as i

Then, take a look at CTR...

CTR is E(i) = blockcipher(key, nonce . i) and D(i) = E(i)

e(i) == blockcipher(key, nonce . i) ^ m(i)

m(i) == blockcipher(key, nonce . i) ^ e(i)

(i == counter, since it's the same in this example where counter and blocks start at the same number)

Therefore CTR is an OTP.


CTR isn't an OTP in the classic sense of OTP, because you rely on the security of blockcipher. For example, if you used blockcipher=single DES, the attacker can break the cipher by breaking single DES by brute force.

Indeed, even if blockcipher=AES256, the attacker can still break CTR by merely guessing key in 2²⁵⁶ operations. (Likely only one such value of key will yield meaningful plaintext throughout the entire multi-block message.) That is contrary to the information-theoretic security property of OTP, where the attacker can't tell whether they've correctly guessed the key.

More to tptacek's point, if you're using the block offset as i, then if you write the same block 30 times, you used the same value blockcipher(key, nonce . i) each time. That isn't a one-time use of that part of the pad, it's a 30-time use of that part of the pad. It's extremely possible that an attacker who has observed all 30 ciphertexts can actually decrypt many of them in combination. In Boneh's Coursera class, we did it successfully with like 4 or 5 ciphertexts, and I've seen a paper that describes doing it automatically for the majority of the text with only two ciphertexts, assuming the plaintext is English written in ASCII.


That's trivial to add on, outside of CTR.

You have a system of keys derived from a master key. Too many bytes encrypted with one key? Use a new key for subsequent writes.

(And for god's sake use a PBKDF to derive a master key from a password, don't memcpy() it directly.)


Can I suggest you reread the article? I felt bad that I spent so much time on the mechanics of tweakable ciphers because people didn't really need to understand them to see why not to use XTS, but here you've vindicated all those paragraphs by stating the exact problem they solve, and did it be presenting an unsafe alternative to them.


Unsafe for what, how? You're making all sorts of claims and now an accusation without backing them up with a shred of evidence.

XTS is only useful for FDE, everything else should look for simpler constructions.

Maybe you need to read:

http://cactus.eas.asu.edu/partha/Teaching/539-CommonFiles/Cr...

Would really appreciated if you would know you're talking about and provide evidence before saying "it's wrong" or "it's bad advice."


Did you just propose a disk encryption scheme whereby PBKDF2 is called on a sector by sector basis?

Later: FWIW, it looks like the parent comment was edited after I wrote this.


Absolutely not, that would NOT SCALE.

Again, you're making accusations, shifting the conversation without providing evidence. Talking with you is pointless.


So when I "derive a new key" for a sector when it gets "rewritten", that key comes from...


Presumably the sector key is derived from the master key using one of the numerous fast KDFs, with PBKDF used only to derive the master key from the password. That's the obvious way to do it and midas007 explicitly mentions PBKDF as a way to generate a master key from a password with sector keys derived from that master key using some unspecified technique. You appear to have come up with your own obviously daft way of implementing the suggestion and then criticized that rather than the original proposal. Please don't do that.


Did you just propose running a KDF for every sector of the disk? Which of these numerous "fast KDFs" that derive related keys from master keys are you referring to?


Dunno, probably a generic HMAC-based one if for some weird reason I felt the urge to implement a crypto system that worked this way. Could probably use KDF1 or another KDF in that family too. (Honestly, there's probably no good reason to do things this way, it's just not obviously broken or infeasable.)


First, running an HMAC for every sector would be extremely slow.

Second, KDF1 would be even slower.

Third, you still haven't explained how KDF1 or HMAC takes you from the master key, derived from the user's password, to several million per-sector keys. What's the relationship between the keys?

Fourth, deriving keys from other keys is potentially dangerous; it's something you avoid doing if you can.

Fifth, as the article mentions, one of the reasons nothing in the universe does this is that running the key schedule millions of times is itself pointlessly time-consuming.

Sixth, you're running CTR mode deterministically. As the article points out, you can't do that: every time you alter a sector, you'll be encrypting data under the same keystream. Higher-level code gets to use CTR because it can arrange to randomize it, but in sector-level crypto you don't get to store a nonce.

What's frustrating to me here is that you basically just made a bunch of stuff up, and then feigned offense that I wouldn't have taken this nonsensical scheme seriously. But that's what it is: nonsensical. Nobody generates individual keys per sector. The article covers this: you'd like to do that, but it's too difficult.

Hence tweakable ciphers.

Lodge objections with Liskov, Rivest, Wagner, and Rogaway, not me.


> every time you alter a sector, you'll be encrypting data under the same keystream

I'm not sure that everybody has developed the intuition that this is horrifically dangerous. Maybe point them to something like

http://www.cs.jhu.edu/~jason/papers/mason+al.ccs06.pdf


That looks like the definition of a symmetric stream cipher, not OTP. You're missing the part where the OTP keystream has to be truly random. The output of a block cipher in CTR mode is not truly random.


Indistinguishable from a PRF A good block cipher satisfied this property, otherwise it's not a PRF and insecure.

Hair-splitting, really. Actual OTP is an imaginary construction that requires an endless supply of truly random bits that have to be securely stored or somehow recreated during decryption. It shifts the hard part to that fn, and just XORs the result with the pt or ct block.


No. What you've done here is redefined "OTP" to mean "any stream cipher". No.


That's the whole point of OTP as an imaginary construction!

It's a way to take any block cipher and turn it into a stream cipher with the power of XOR.

(I'm only going to ask this nicely once: cease and desist stalking and harassment.)


No, you have your terminology thoroughly confused. An OTP is an information-theoretically secure cipher where the key is as long as the plaintext. The only relationship between a one-time pad and CTR is the XOR operation. Furthermore, the article you're responding to explains what's wrong with simple stream ciphers for disk sector encryption.


No.


Uh, yeah, except not a cryptographic hash function, first of all :-)

Secondly, CTR has serious issues too. It is trivial to bit-fiddle. The naive implementation you're suggesting leaks the keystream in one CCA query.

Just because CTR in and of itself is easy to get right doesn't mean that any system composed using CTR is easy to get right.


The trivial malleability of CTR is apparently why NIST rejected it, but it's important to remember that most unauthenticated block cipher modes are malleable, including XTS.


Fixed.

That's beyond the scope of which mode, but it's important. However the less code one has, the fewer places there are for things to hide.


No, malleability is not beyond the scope of which "mode" you encrypt something with. That's like saying that security is beyond the scope of which "mode" you encrypt with. People used to believe you could divorce confidentiality from integrity, back in the 1990s, but that turned out not to me true, due to adaptive chosen ciphertext attacks.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: