[Cryptography] Security on TRIM for full-disk encrypted SSDs
RB
aoz.syn at gmail.com
Wed Apr 20 15:17:59 EDT 2016
On Wed, Apr 20, 2016 at 11:52 AM, james hughes <hughejp at me.com> wrote:
>
> On Apr 19, 2016, at 5:03 PM, Valmiky Arquissandas
> <crypto-metzdowd at kayvlim.com> wrote:
>
> I understand at least some of the theory - encrypted information is supposed
> to be indistinguishable from random noise, and TRIM reveals patterns; and a
> plausible deniability scenario would probably be unacceptable.
>
>
> Can you please explain?
>
> Assuming reasonable encryption, I do not understand what patters are being
> revealed.
It all depends on your threat model. The most paranoid threat model
possible for most disk-level encryption assumes that an attacker
knowing both your FS type and the amount of data you have encrypted is
unacceptable. Hence, you encrypt your entire block device (fill it up
with encrypted data or noise) and keep opaque the actual volume of
encrypted data and any other indicators of its structure.
For the average user that's probably not true, and for them TRIM
should be perfectly acceptable. This is why, for example, I don't
"pre-encrypt" VeraCrypt volumes: I ship a lot of disk images around,
it's a known quantity. My main interest is confidentiality, and it
matters not one whit whether I'm sending a 500GB or a 1TB image on
that 2TB external. My opponent already knows the gist of what I'm
transmitting, so I avoid writing 2TB of NULs over a slow bus in order
to hide that I'm sending less than 2TB.
Your mileage (and threat model) may vary.
More information about the cryptography
mailing list