Warning! New cryptographic modes!

Jerry Leichter leichter at lrw.com
Mon May 11 18:48:02 EDT 2009 

On May 11, 2009, at 5:13 PM, Victor Duchovni wrote:

> On Mon, May 11, 2009 at 02:16:45PM -0400, Roland Dowdeswell wrote:
>
>>> In any case, there are obvious, well-understood solutions here:  Use
>>> counter mode, which propagates changes by a single block of the
>>> cryptosystem.  Or use any other stream cipher mode.  (An interesting
>>> question is whether there's a mode that will recover from insertions
>>> or deletions.  Perhaps something like:  Use counter mode.  If two
>>> consecutive ciphertext bytes are 0, fill the rest of the ciphertext
>>> block with 0's, jump the counter by 65536, and insert a special  
>>> block
>>> containing the new counter value.)
>>
>> I'm not convinced that a stream cipher is appropriate here because
>> if you change the data then you'll reveal the plaintext.
>
> Indeed. If the remote copy is a "backup", and the local file-system
> supports snaphots, then it is far better to arrange for the remote
> backup to always be a copy of a local snapshot, and to compute the  
> rsync
> "delta" between the local copy of the remote snapshot and a newer  
> snapshot
> locally, and then rsync the delta. Sure, snapshot file-systems are not
> yet universal, but given disk size and file-system trends, I would  
> base
> encrypted remote backups on a foundation that assumed the existence of
> local before/after images.
If you have a snapshot file system, sure, you can use it.  Caching  
checksums and using a write barrier (like fsevents in MacOS) would  
also work.

Any such system will eventually build up either a huge number of small  
deltas, or deltas that are close to the size of the underlying files  
(i.e., eventually most things get changed).  So you also need a way to  
reset to a new base - that is, run an rsync as you do today.  Thus,  
while this is certainly a good optimization, you still need to solve  
the underlying problem.

> A cipher that produces largely identical cipher-text for largely  
> identical
> plaintext in the face of updates, inserts and deletes, is unlikely to
> be particularly strong.
Consider first just updates.  Then you have exactly the same problem  
as for disk encryption:  You want to limit the changes needed in the  
encrypted image to more or less the size of the change to the  
underlying data.  Generally, we assume that the size of the encrypted  
change for a given contiguous range of changed underlying bytes is  
bounded roughly by rounding the size of the changed region up to a  
multiple of the blocksize.  This does reveal a great deal of  
information, but there isn't any good alternative.  (Of course, many  
file types are never actually changed in place - they are copied with  
modifications along the way - and in that case the whole thing will  
get re-encrypted differently anyway.)

> The CBC IV reset should not be too disasterous if the IV is an  
> encrypted
> block counter under a derived key. Drive encryption basically does the
> same thing with 512 byte blocks. This fails to handle inserts/deletes
> that are not multiples of the "chunk" size.
It's curious that the ability to add or remove blocks in the middle of  
a file has never emerged as a file system primitive.  Most file system  
organizations could support it easily.  (Why would you want this?   
Consider all the container file organizations we have, which bundle up  
segments of different kinds of data.  A .o file is a common example.   
Often we reserve space in some of the embedded sections to allow for  
changes later - patch areas, for example.  But when these fill,  
there's no alternative but to re-create the file from scratch.  If we  
could insert another block, things would get easier.)

Given that file systems don't support the operation, disk encryption  
schemes haven't bothered either.

To support insertions or deletions of full blocks, you can't make the  
block encryption depend on the block position in the file, since  
that's subject to change.  For a disk encryptor that can't add data to  
the file, that's a killer; for an rsync pre-processor, it's no big  
deal - just store the necessary key-generation or tweak data with each  
block.  This has no effect on security - the position data was public  
anyway.

To handle smaller inserts or deletes, you need to ensure that the  
underlying blocks "get back into sync".  The gzip technique I  
mentioned earlier works.  Keep a running cryptographically secure  
checksum over the last blocksize bytes.  When some condition on the  
checksum is met - equals 0 mod M - insert filler to the beginning of  
the next block before encrypting; discard to the beginning of the next  
block when decrypting.  Logically, this is dividing the file up into  
segments whose ends occur at runs of blocksize bytes that give a  
checksum obeying the condition.  A change within a segment can at most  
destroy that segment and the following one; any other segments  
eventually match up.  (The comparison algorithm can't have anything  
that assumes either block or segment offset from beginning of file are  
significant - but I think rsync already handles that.)  Yes, this  
leaks *something* about the plaintext which is hard to pin down, but  
it seems much less significant than what you've already given up to  
allow local cleartext changes to produce local ciphertext changes.
                                                         -- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list