Christoph Anton Mitterer wrote: > On Mon, 2014-12-01 at 16:43 -0800, Alex Elsayed wrote: >> including that MAC-then-encrypt is fragile >> against a number of attacks, mainly in the padding-oracle category (See: >> TLS BEAST attack). > Well but here we talk about disk encryption... how would the MtE oracle > problems apply to that? Either you're already in the system, i.e. beyond > disk encryption (and can measure any timing difference)... or you're > not, but then you cannot measure anything.
Arguable. On a system with sufficiently little noise in the signal (say... systemd, on SSD, etc) you could possibly get some real information from corrupting padding on a relatively long extent used early in the boot process, by measuring how it affects time-to-boot. And padding oracles are just one issue. Overall, the problem is that MtE isn't generically secure. EtM or pure AEAD modes are, which means you can simply mark any attack that doesn't rely on one of the underlying primitives being weak as "Not applicable." It also means you can compose it out of arbitrary secure primitives, rather than needing to do your proof of security over again for every combination. That's an _enormous_ win in terms of how easy it is to be sure a system is secure. Without it, you can't really be sure there isn't Yet Another Vector You Missed. -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
