Watermarking attack
From Wikipedia, the free encyclopedia
In cryptography, a watermarking attack is an attack on disk encryption methods where the presence of a specially crafted piece of data (e.g., a decoy file) can be detected by an attacker without knowing the encryption key. Watermarking attacks are generally a result of flawed initialization vector generation when used with the cipher-block chaining (CBC) mode, for example, where the vector repeats ("wraps around") every known number of sectors, or is otherwise predictable.
[edit] Problem description
Disk encryption suites generally operate on data in 512-byte sectors which are individually encrypted and decrypted. These 512-byte sectors alone can use any block cipher mode of operation (typically CBC), but since arbitrary sectors in the middle of the disk need to be accessible individually, they cannot depend on the contents of their preceding/succeeding sectors. Thus, each sector alone has to use an initialization vector (IV). If these IVs are predictable, then a maliciously created file can be generated to "NOP-out" the IV, causing different blocks on the encrypted disk to have identical sectors, or at least the first block in a number of sectors to be identical. The sector patterns generated in this way can give away the existence of the specially created file, without any need for the disk to be decrypted first. The problem is analogous to that of using block ciphers in the electronic codebook (ECB) mode, but instead of whole blocks, only the first block in different sectors are identical.
This weakness affected many full disk encryption suites, including older versions of BestCrypt[1] as well as the now-deprecated cryptoloop,[2] though can be relativly easily eliminated by making the IVs non-predictable; as seen in FreeOTFE (ESSIV), or using a different mode altogether as in TrueCrypt (LRW).
