Re: Native Encryption for ZFS on FreeBSD CFT

From: Matthew Macy <mmacy_at_freebsd.org>
Date: Wed, 22 Aug 2018 15:39:18 -0700
Hi Thomas,

Alan believes that, even with dedup disabled, the ZFS native encryption
support is vulnerable to watermarking attacks. I don't have enough exposure
to crypto to pass any judgement and was hoping that you'd share your point
of view. Thanks in advance.

-M



On Wed, Aug 22, 2018 at 12:42 PM Alan Somers <asomers_at_freebsd.org> wrote:

> Only encrypting L0 blocks also leaks a lot of information.  That means
> that, if encryption is set to anything but "off", watermarking attacks will
> still be possible based on the size and sparsity of a file.  Because I
> believe that with any encryption mode, ZFS turns continuous runs of zeros
> into holes.  And I don't see anything in zio_crypt.c that addresses that.
> -Alan
>
> On Wed, Aug 22, 2018 at 1:23 PM Sean Fagan <sef_at_ixsystems.com> wrote:
>
>> On Aug 22, 2018, at 12:20 PM, Alan Somers <asomers_at_freebsd.org> wrote:
>> > ]That doesn't answer the question about what happens when dedup is
>> turned off.  In that case, is the HMAC still used as the IV?  If so, then
>> watermarking attacks are still possible.  If ZFS switches to a random IV
>> when dedup is off, then it would probably be ok.
>>
>> From the same file:
>>
>>  * Initialization Vector (IV):
>>
>>  * An initialization vector for the encryption algorithms. This is used
>> to
>>  * "tweak" the encryption algorithms so that two blocks of the same data
>> are
>>  * encrypted into different ciphertext outputs, thus obfuscating block
>> patterns.
>>  * The supported encryption modes (AES-GCM and AES-CCM) require that an
>> IV is
>>  * never reused with the same encryption key. This value is stored
>> unencrypted
>>  * and must simply be provided to the decryption function. We use a 96
>> bit IV
>>  * (as recommended by NIST) for all block encryption. For non-dedup
>> blocks we
>>  * derive the IV randomly. The first 64 bits of the IV are stored in the
>> second
>>  * word of DVA[2] and the remaining 32 bits are stored in the upper 32
>> bits of
>>  * blk_fill. This is safe because encrypted blocks can't use the upper 32
>> bits
>>  * of blk_fill. We only encrypt level 0 blocks, which normally have a
>> fill count
>>  * of 1. The only exception is for DMU_OT_DNODE objects, where the fill
>> count of
>>  * level 0 blocks is the number of allocated dnodes in that block. The
>> on-disk
>>  * format supports at most 2^15 slots per L0 dnode block, because the
>> maximum
>>  * block size is 16MB (2^24). In either case, for level 0 blocks this
>> number
>>  * will still be smaller than UINT32_MAX so it is safe to store the IV in
>> the
>>  * top 32 bits of blk_fill, while leaving the bottom 32 bits of the fill
>> count
>>  * for the dnode code.
>>
>>
>> Sean
>>
>>
>>
Received on Wed Aug 22 2018 - 20:39:31 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:17 UTC