[Cryptography] Security on TRIM for full-disk encrypted SSDs

[Peter Fairbrother]

On 20/04/16 20:17, RB wrote:
> On Wed, Apr 20, 2016 at 11:52 AM, james hughes <hughejp at me.com> wrote:
>>
>> On Apr 19, 2016, at 5:03 PM, Valmiky Arquissandas
>> <crypto-metzdowd at kayvlim.com> wrote:
>>
>> I understand at least some of the theory - encrypted information is supposed
>> to be indistinguishable from random noise, and TRIM reveals patterns; and a
>> plausible deniability scenario would probably be unacceptable.
>>
>>
>> Can you please explain?
>>
>> Assuming reasonable encryption, I do not understand what patters are being
>> revealed.
>
> It all depends on your threat model.  The most paranoid threat model
> possible for most disk-level encryption assumes that an attacker
> knowing both your FS type and the amount of data you have encrypted is
> unacceptable.  Hence, you encrypt your entire block device (fill it up
> with encrypted data or noise) and keep opaque the actual volume of
> encrypted data and any other indicators of its structure.
>
> For the average user that's probably not true, and for them TRIM
> should be perfectly acceptable.  This is why, for example, I don't
> "pre-encrypt" VeraCrypt volumes: I ship a lot of disk images around,
> it's a known quantity.  My main interest is confidentiality, and it
> matters not one whit whether I'm sending a 500GB or a 1TB image on
> that 2TB external.


You think that an attacker knowing how much data you send doesn't affect 
confidentiality?

hmmm, how many files on t'internet are 2798954788 bytes long?



-- Peter Fairbrother





My opponent already knows the gist of what I'm
> transmitting, so I avoid writing 2TB of NULs over a slow bus in order
> to hide that I'm sending less than 2TB.
>
> Your mileage (and threat model) may vary.
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>