Let's see if I understand this attack: > When a specially crafted PS document is saved to disk, an attacker can find it by > inspecting the changed blocks (since an earlier inspection). If, say, the second block > contained 0, and the PS document has a comparison of the value it finds there to 0, it > takes a branch, and provides a specific content. However, when an attacker changed the > second block, it will not be 0, so another variant of the document is shown. This way, if > an attacker can send you an important document, and later he can access your LRW-AES > encrypted disk, he can change your saved document to another one. This vulnerability has > been shown to affect, PS, PDF, DOC, EXE and many other file types.
So, the attacker has to 1.) send you a specially crafted file, 2.) convince you to save it to an encrypted disk to which he has ciphertext access 3.) find the document and "randomize" a piece of it And all this allows him to present you with a variant of the document he originally sent? This seems to mean that all the attacker can attack is data sent originally by the attacker? I don't understand the finding the 0 and changing it. This either means he will see a partially randomized document, or, at best, a document that was delivered to him, but made invisible by characteristics of the viewer? How does this enable the attacker to do anything meaningful with data that he did not provide? At best, it seems this provides a way of bypassing any authentication/non-repudiation. No system without authentication will be able to prevent that, and the size-preserving aspect of LRW precludes authentication. -------- ..Rob -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, May 24, 2006 2:22 PM To: [EMAIL PROTECTED] Subject: RE: Glossary term for 1619: shared media (wordsmithed) Rob, > Changing the ciphertext always creates a "not equal" situation for the > plaintext You got it. This is why I kept arguing, that (to our customers) acceptable security cannot be provided, if an attacker can access ciphertext. > what information leakage there is from the changed ciphertext It is not leakage, but malleability or opening backdoors for other attacks. As I wrote: When a specially crafted PS document is saved to disk, an attacker can find it by inspecting the changed blocks (since an earlier inspection). If, say, the second block contained 0, and the PS document has a comparison of the value it finds there to 0, it takes a branch, and provides a specific content. However, when an attacker changed the second block, it will not be 0, so another variant of the document is shown. This way, if an attacker can send you an important document, and later he can access your LRW-AES encrypted disk, he can change your saved document to another one. This vulnerability has been shown to affect, PS, PDF, DOC, EXE and many other file types. Another attack scenario is when the attacker randomizes all 16-byte ciphertext blocks of the (by location) easily identified OS files, one-by-one. He then tests the behavior of the modified files. He could find exploitable changes in behavior. > how this is predictable or easily exploitable The "not equality" is predictable, after changing the ciphertext. See above for two easy exploits. I am sure, there are many more. Laszlo > -------- Original Message -------- > Subject: RE: Glossary term for 1619: shared media (wordsmithed) > From: "Rob Ewan" <[EMAIL PROTECTED]> > Date: Wed, May 24, 2006 1:52 pm > To: <[EMAIL PROTECTED]> > Cc: "Rob Ewan" <[EMAIL PROTECTED]> > > Laszlo, > > I don't understand your statement: > > > Changing the ciphertext gives one bit information in the > > corresponding > plaintext (equal / > not equal). It is fully predictable and easily > exploitable. > > Changing the ciphertext always creates a "not equal" situation for the > plaintext, does it not? I'm really not seeing what information leakage > there is from the changed ciphertext. The assumption for AES is that > changing 1 bit in the ciphertext will change the entire block (16 > bytes) of plaintext. > > Since changing the ciphertext will always change the plaintext, and > since the attacker can't read the plaintext, I don't see either how > this is predictable or easily exploitable. > > Could you elaborate on what you're thinking? > > -------- > ..Rob > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, May 24, 2006 1:26 PM > To: [EMAIL PROTECTED] > Subject: RE: Glossary term for 1619: shared media (wordsmithed) > > > Rob/Garry, > > > The cryptographic transform must therefore provide protection > > against > > meaningful ciphertext manipulation by an attacker. > > The problem I already mentioned still remains: the sentence could > imply that LRW-AES does provide protection against meaningful > ciphertext manipulations. Changing the ciphertext gives one bit > information in the corresponding plaintext (equal / not equal). It is > fully predictable and easily exploitable. Therefore, I should like to > change the sentence to something like: > > The cryptographic transform must therefore provide *some* protection > against ciphertext manipulation by an attacker. Or > > The cryptographic transform must not allow more than one bit > information carried over to the deciphered plaintext from ciphertext > manipulation by an attacker. > > Laszlo > > > -------- Original Message -------- > > Subject: Glossary term for 1619: shared media (wordsmithed) > > From: "Rob Ewan" <[EMAIL PROTECTED]> > > Date: Wed, May 24, 2006 12:36 pm > > To: <[EMAIL PROTECTED]> > > Cc: "Rob Ewan" <[EMAIL PROTECTED]> > > > > Here are some wordsmithing changes to the definition, based on my > > earlier message. > > > > "Shared storage media:storage media that could potentially be > > accessed > > > in plaintext by multiple mutually-untrusted agents with authorized > > access to different zones of the media, and may be accessed in > > ciphertext by an attacker. " > > > > This covers the idea that the attacker may be a legitimate co-user > > of > > (different portions of) the media, but may have malicious intentions > > towards other users. The word-smithing on the other section proposed > > by Shai (to expand the definition of attacker, and to think beyond the > > > idea of simply Denial-Of-Service attacks) would be something like: > > > > "A shared media can potentially be accessed in plaintext by multiple > > agents, one of whom may also have unrestricted ciphertext access, > > thereby rasing the possibility that an attacker can usefully > > manipulate the encrypted storage. The cryptographic transform must > > therefore provide protection against meaningful ciphertext > > manipulation by an attacker." > > > > > > -------- > > ..Rob/Garry