Date: Wed, 10 May 2000 09:22:40 +0200
From: Thomas Pornin <[EMAIL PROTECTED]>
On Tue, May 09, 2000 at 03:13:40PM -0400, Theodore Y. Ts'o wrote:
> ... and what prevents the attacker from simply updating the checksum
> when he's modifying the blocks?
As you may have not noticed, I am talking about a block device where
every data is enciphered. To be more specific, each 64 bit (or 128 bit)
block is enciphered with a different key. The attacker has not access to
the data, neither to the checksum. However, he knows where these items
are, and may perform modifications (although they would be essentially
random). Hence the checksum.
Consider that block-swapping attacks can preserve the checksum even
though the attacker doesn't know the underlying data. Also, I'm
suspicious about your "each 64 bit or (128 bit) block is enciphered"
with a different key. You haven't said enough about your key management
to judge, but this sounds like home-grown crypto to me, which has been
historically dangerous.
I suggest you take your design and run it by the coderpunks mailing list
for review. That would probably be very helpful. (It's not the charter
of this mailing list, and I don't have time to do the analysis right
now. But what you've told me makes me suspicious that there may be
several problems hiding in your scheme.)
- Ted
