Watermarking attack

From Wikipedia, the free encyclopedia

In cryptography, a watermarking attack is an attack on disk encryption methods where the presence of a specially crafted piece of data (e.g., a decoy file) can be detected by an attacker without knowing the encryption key.

[edit] Problem description

Disk encryption suites generally operate on data in 512-byte sectors which are individually encrypted and decrypted. These 512-byte sectors alone can use any block cipher mode of operation (typically CBC), but since arbitrary sectors in the middle of the disk need to be accessible individually, they cannot depend on the contents of their preceding/succeeding sectors. Thus, with CBC, each sector alone has to use an initialization vector (IV). If these IVs are predictable by an attacker, then a specially crafted file can be generated to "NOP-out" the IV, causing different blocks on the encrypted disk to have identical sectors, or at least the first block in a number of sectors to be identical. The sector patterns generated in this way can give away the existence of the file, without any need for the disk to be decrypted first. The problem is analogous to that of using block ciphers in the electronic codebook (ECB) mode, but instead of whole blocks, only the first block in different sectors are identical.

This weakness affected many disk encryption programs, including older versions of BestCrypt^[1] as well as the now-deprecated cryptoloop.^[2]

The problem can be relatively easily eliminated by making the IVs unpredictable with, for example, ESSIV.^[3] Alternatively, one can use modes of operation specifically meant for disk encryption (see disk encryption theory).

[edit] See also

• Disk encryption theory
• Initialization vector
• Block cipher modes of operation
• Watermark

[edit] Notes and references

1. ^ Chiriliuc, Adal (2003-10-23). "BestCrypt IV generation flaw". Retrieved on 2006-08-23.
2. ^ Saarinen, Markku-Juhani O. (2004-02-19). Linux for the Information Smuggler (PDF). Helsinki University of Technology. Retrieved on 2006-10-01.
3. ^ Fruhwirth, Clemens. Linux hard disk encryption settings. Retrieved on 2006-01-02.