Date: Wed, 22 Aug 2018 13:20:29 -0600 From: Alan Somers <asomers@freebsd.org> To: Sean Fagan <sef@ixsystems.com> Cc: Matthew Macy <mmacy@freebsd.org>, FreeBSD CURRENT <freebsd-current@freebsd.org>, freebsd-fs <freebsd-fs@freebsd.org> Subject: Re: Native Encryption for ZFS on FreeBSD CFT Message-ID: <CAOtMX2iMuLWEQV68MTcvpURacXB5wZMT8yAYySisOfnmCNn=SA@mail.gmail.com> In-Reply-To: <9FDF249A-E320-4652-834E-7EEC5C4FB7CA@ixsystems.com> References: <CAPrugNomNQQUZZNgngYRjDEVEU=_KbE2pgG4ajO1Jr4%2BGov2gQ@mail.gmail.com> <CAPrugNpKOYe9VS6Q-Q43t4i51qsxrP0SKW76208rtX-ENWxS5g@mail.gmail.com> <CAOtMX2jGQWm9ZFM_0kqvEt41xrm%2BFTpq6JVK4iK-c20NQjisRg@mail.gmail.com> <AD1101E9-9A3E-41CB-B313-1723123C607B@ixsystems.com> <CAOtMX2gvtzKg=DJChZdcYCiuADNVm9JvhgLNJ7bmwCLArgigjw@mail.gmail.com> <9FDF249A-E320-4652-834E-7EEC5C4FB7CA@ixsystems.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 22, 2018 at 12:30 PM Sean Fagan <sef@ixsystems.com> wrote: > On Aug 21, 2018, at 8:16 PM, Alan Somers <asomers@freebsd.org> wrote: > > > > > The last time I looked (which was a long time ago), Oracle's ZFS > encryption looked extremely vulnerable to watermarking attacks. Did > anybody ever fix that? > > This is the comment about dedup in zio_crypt.c: > > * CONSIDERATIONS FOR DEDUP: > * In order for dedup to work, blocks that we want to dedup with one > another > * need to use the same IV and encryption key, so that they will have the > same > * ciphertext. Normally, one should never reuse an IV with the same > encryption > * key or else AES-GCM and AES-CCM can both actually leak the plaintext o= f > both > * blocks. In this case, however, since we are using the same plaintext a= s > * well all that we end up with is a duplicate of the original ciphertext > we > * already had. As a result, an attacker with read access to the raw disk > will > * be able to tell which blocks are the same but this information is give= n > away > * by dedup anyway. In order to get the same IVs and encryption keys for > * equivalent blocks of data we use an HMAC of the plaintext. We use an > HMAC > * here so that a reproducible checksum of the plaintext is never > available to > * the attacker. The HMAC key is kept alongside the master key, encrypted > on > * disk. The first 64 bits of the HMAC are used in place of the random > salt, and > * the next 96 bits are used as the IV. As a result of this mechanism, > dedup > * will only work within a clone family since encrypted dedup requires us= e > of > * the same master and HMAC keys. > > (So, same issue. I don=E2=80=99t think encryption and deduplication shou= ld live > together, > so I would not have made that choice.) > > Sean. > That doesn't answer the question about what happens when dedup is turned off. In that case, is the HMAC still used as the IV? If so, then watermarking attacks are still possible. If ZFS switches to a random IV when dedup is off, then it would probably be ok. -Alan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2iMuLWEQV68MTcvpURacXB5wZMT8yAYySisOfnmCNn=SA>