[Cryptography] Security on TRIM for full-disk encrypted SSDs
Valmiky Arquissandas
crypto-metzdowd at kayvlim.com
Thu Apr 21 20:21:10 EDT 2016
> On Thu, Apr 21, 2016 at 3:19 PM, Peter Fairbrother <peter at m-o-o-t.org>
> wrote:
>> You think that an attacker knowing how much data you send doesn't
>> affect
>> confidentiality?
>>
>> hmmm, how many files on t'internet are 2798954788 bytes long?
>
> You're right - that matters, but only for specific threat models,
> particularly those involving transmission of illicit material.
> Returning to the problem at hand - that of allowing one's opponent to
> know one's net drive allocation by enabling TRIM under encryption -
> the answer remains "it may matter". If you're storing a known
> quantity of illicit material in a way that could be separated from the
> rest of the noise on your system, then yes - enabling TRIM is probably
> dangerous.
>
> For the rest of us that simply wish to prevent data loss or
> modification in the event of a lost or stolen system or drive and lack
> illicit material? TRIM can be a great disk-longevity option that does
> not affect our threat model.
>
> You have to know what you're defending and what you're defending it
> against. Because they have customers with varying threat models, FDE
> developers have historically tended toward the conservative extreme
> and are just now offering exceptions to that. For the average user,
> however, the performance and operational load of that extreme may
> outweigh actual concerns.
This sounds about right to me, and Linus' link is precisely the kind of
information I was looking for. It confirms that an attacker may infer
how much space is used, and what the underlying filesystem is. My only
remaining question is whether this is as far as it gets, or if there is
knowledge of something even deeper.
The threat model is responsible for deciding what inferences are
acceptable or not; I'm trying to understand what those inferences are.
"how many files on t'internet are 2798954788 bytes long?" -- when a
device is FDE'd, and it discards unused blocks, is it ever possible to
find out that one of the files is exactly 2,798,954,788 bytes long?
Since files may be fragmented, and their blocks would be fully marked as
used - even if they weren't filled - the best guess I would imagine an
attacker could make - if there was no fragmentation, the data was
completely contiguous, *and* the attacker already knew that - is that
the file would be between 2,798,954,496 and 2,798,955,008 bytes long (if
blocks are of 512 bytes). When fragmentation scatters a file's contents,
I would guess all bets are off.
I use full disk encryption for two purposes - keep the contents of the
information I store from being read if my laptop (or backup drive) is
stolen, and protect the (Linux) partition that contains it from being
readable from the Windows system (dual boot). Should my Windows
installation become a target of the likes of ransomware (or plain old
spyware), it may encrypt my irrelevant files, but it won't ever be able
to read or overwrite those that matter (unless it nukes the LUKS
metadata, or it is so advanced it poisons the boot process to recover
the passphrase). Worst case, I have to reach my backups, but nothing
should have been revealed.
More information about the cryptography
mailing list