2008 A. G. Basile. Creative Commons Attribution-Share Alike 3.0 License.

Random versus Encrypted Data

Introduction
What oes it mean !or in!ormation to be leake" What is in!ormation an#$a#s" %! $e come across
some ata& can $e tell i! it contains in!ormation or not" %s it even meanin'!ul to talk about ata $hich
carries (ero in!ormation" )hese are im*ortant +uestions $hen it comes to encr#*tin' !ile s#stems&
because& as % $ill sho$ belo$& there are small amounts o! in!ormation leake even in our best
encr#*te s#stem.
%! $e start b# e!inin' in!ormation as ata containin' a messa'e then the o**osite o! in!ormation& or
(ero in!ormation& is ranom ata& ie& ata $hich ma# con!orm to some s*ectral *arameters but oes not
e,hibit an# correlation bet$een ata elements. %n orer !or ata to carr# a messa'e& elements in the
se+uence must be correlate in some $a#. -or e,am*le& .c. !ollo$e b# .a. !ollo$e b# .t. conve#s
the messa'e .cat. --- the orer is im*ortant as is the *ro,imit# o! the characters& an $ithin the canon
o! the /n'lish lan'ua'e& this messa'e elicits the ima'e o! a !u((# creature $hich *urrs. )his
correlation& e,tene over the ata se+uence& 'ives the messa'e. Since .ranom. b# e!inition means
that there are no correlation& there can be no messa'e. )he ieal then in encr#*tion $oul be to create a
s#stem that cannot be istin'uishe b# an# means an uner an# circumstances !rom ranom ata. %0m
not sure this is even *ossible& but % can sho$ $a#s in $hich $e !all short o! the ieal.
)o illustrate these *oints& consier the !ollo$in' t$o strin's o! ranom he, i'its1
b228344545b!b20!8be2c05526a!44
02b!24c2c786b3082808662!ee800
Which stin' contains ranom ata an $hich contains encr#*te ata" )his is a trick +uestion because
the truth is& neither oes. )he !irst strin' $as 'enerate usin'
echo .8i 9om. : aes*i*e : ,, -*s
$ith *ass$or .as!;kl+$eruio*(,cvnm. $hile the secon $as 'enerate usin'
i!<=ev=uranom count<25 bs<2 : ,, -*s
$hich is a se+uence calculate b# the kernel0s non-blockin' *seuo-ranom number 'enerator >?@AGB.
?@AG0s are similar to encr#*tion al'orithms in that the# use mathematical !ormulas to 'enerate
subse+uent elements o! the se+uence. )he# con!orm to certain s*ectral re+uirements >e' heas or tails
are e+uall# *robabl#B an eneavor to is'uise correlation& an so the# act as ecent a**ro,imations to
ranom number se+uences. A better $a# to 'enerate ranom numbers is to use ranom *h#sical events&
like rollin' ice or $eather !luctuations. )he kernel *rovies =ev=ranom that 'athers it entro*# >ie
ranomnessB !rom the har$areC ho$ever& since this re+uires s#stem activit# to accumulate be!ore it
can eliver those ranom numbers& it blocks. )r# usin' i!<=ev=ranom instea o! =ev=uranom in
the e,am*les belo$ an #ou0ll see ho$ anno#in' the $ait can beD %0ll use uranom throu'hout& but to
make these true tests& $e shoul use ranom.
A !e$ more *oints to note be!ore movin' one1
2B %t shoul not matter $hether the attacker kno$s $hat c#*her $as use in encr#*tin' the messa'e ---
in the above case % use 228-bit A/S. )he messa'e is sa!e unless he also kno$s the secret *ass$or. A
cracke ci*her is one in $hich the attacker can obtain the clear messa'e $ithout the secret in a
reasonable about o! time. 9athematicall#&
ecr#*tion < -> encr#*te messa'e& ci*her& secret B
runs in a reasonable amount o! c*u time an 'ives 'arba'e unless the ri'ht secret is su**lie. %n our
e,am*le&
echo -n .b228344545b!b20!8be2c05526a!44. : ,, -r -*s : aes*i*e -
returns .8i 9om. onl# $hen $e su**l# the ri'ht secret. %t uses onl# !ractions o! a secon o! c*u time
an *re*enin' .time. to the above comman 'ives1
real 0m3.062s
user 0m0.000s
s#s 0m0.028s
%n contrast& a !unction like this
ecr#*tion < G> encr#*te messa'e& ci*her B
$hich runs in a reasonable amount o! c*u time oes not e,ist !or a 'oo ci*her. %! it i an $ere
!oun& then $e $oul sa# that the ci*her is cracke. Since the ke# si(e is 228-bits& this means there are
2E228 < 3.6,20E38 *ossible ke#s to tr# an one an onl# one $ill ecr#*t the messa'e. Since each
attem*t takes about 0.03s this means a brute !orce attack $oul take about 20E33s < about 20E27
li!etimes o! the kno$n universe. )o cover this ke# s*ace& aes*i*e insists on a *ass$or o! 20 chars lon'
or more. %ncluin' u**er=lo$er=numbers=s*ecial chars& this means 76 *ossibilities !or each char an
76E20 < 2.7,20E37. %ts u* to the user no$ to choose ranoml# $ithin this *ass$or s*aces --- 'oo
luckD Since humans *re!er eas# to remember *ass$ors to har& the actual istribution o! chosen
*ass$ors is not uni!orm an so brute !orce attacks& like Fohn the @i**er.& *rocee b# tr#in' more
*robable *ass$ors be!ore less *robabl# ones& leain' to a ictionar# attack.
2B Since kno$in' the ci*her shoul not 'ive the attacker an# avanta'e& some im*lementations& like
the luks e,tension to m-cr#*t announce it in a heaer. 8ere0s an e,am*le obtaine usin' the !ollo$in'
commans1
i!<=ev=uranom o!<mcr#*t-luks-A.bm* count<2 bs<29
losetu* =ev=loo*0 mcr#*t-luks-A.bm*
cr#*tsetu* luks-ormat =ev=loo*0
he,um* -C =ev=loo*0 : more
00000000 4c 55 4b 53 ba be 00 01 61 65 73 00 00 00 00 00 |LUKS....aes.....|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 63 62 63 2d 65 73 73 69 |........cbc-essi|
00000030 76 3a 73 68 61 32 35 36 00 00 00 00 00 00 00 00 |v:sha256........|
00000040 00 00 00 00 00 00 00 00 73 68 61 31 00 00 00 00 |........sha1....|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 04 08 00 00 00 10 |................|
00000070 ca 4e ae 89 ce d0 83 9e 6b aa 2d 74 8d ae 9d 56 |.N......k.-t...|
00000080 2e !1 63 81 69 18 a9 99 b5 c! 33 47 0e 03 !3 bd |..c.i.....3"....|
00000090 a0 b8 15 65 85 2e 6e !3 22 a1 7a 2e 2d a4 !6 50 |...e..#.$.%.-..&|
000000a0 73 69 07 !! 00 00 00 0a 39 62 37 62 62 33 64 32 |si......9b7bb3d2|
000000b0 2d 37 62 31 63 2d 34 66 63 39 2d 39 32 33 36 2d |-7b1c-4!c9-9236-|
000000c0 39 36 61 61 64 31 36 64 62 36 35 65 00 00 00 00 |96aad16db65e....|
000000d0 00 ac 71 !3 00 04 18 31 ee c0 18 69 ed 2b d9 5d |..'....1...i.(.)|
000000e0 6e 55 b0 53 66 8d a1 13 e9 75 a9 80 !d 0e bb 38 |#U.S!....*.....8|
000000!0 6c c5 4b 40 b9 c7 ee 2d 00 00 00 08 00 00 0! a0 |+.K,...-........|
)he he,um* is *rett# clear& but to make it even easier cr#*tsetu* *rovies a utilit# $hich $ill *resent
this in!ormation in a human reaable !orm. )he !ollo$in'
cr#*tsetu* luksGum* =ev=loo*0
#iels
LHIS heaer in!ormation !or =ev=loo*0
Jersion1 2
Ci*her name1 aes
Ci*her moe1 cbc-essiv1sha245
8ash s*ec1 sha2
?a#loa o!!set1 2032
9I bits1 228
9I i'est1 ca 6e ae 87 ce 0 83 7e 5b aa 2 36 8 ae 7 45 2e !2 53 82
9I salt1 57 28 a7 77 b4 c! 33 63 0e 03 !3 b a0 b8 24 54
84 2e 5e !3 22 a2 3a 2e 2 a6 !5 40 33 57 03 !!
9I iterations1 20
HH%G1 7b3bb32-3b2c-6!c7-7235-75aa25b54e
Ie# Slot 01 /AABL/G
%terations1 258333
Salt1 ee c0 28 57 e 2b 7 4 5e 44 b0 43 55 8 a2 23
e7 34 a7 80 ! 0e bb 38 5c c4 6b 60 b7 c3 ee 2
Ie# material o!!set1 8
A- stri*es1 6000
Ie# Slot 21 G%SABL/G
Ie# Slot 21 G%SABL/G
Ie# Slot 31 G%SABL/G
Ie# Slot 61 G%SABL/G
Ie# Slot 41 G%SABL/G
Ie# Slot 51 G%SABL/G
Ie# Slot 31 G%SABL/G
While none o! this in!ormation hel*s the attacker to ecoe the encr#*te ata $hich !ollo$s the
heaer& it oes 'ive a$a# some in!ormation. %t sa#s .$hat !ollo$s is encr#*te ata& it is encoe usin'
228-bit A/S& the moe in $hich this encr#*tion is use is ci*her block-chainin' $ith initiali(ation
vector calculate usin' sha245 .... )his is harmless enou'h e,ce*t that it iminishes plausible
deniability meanin' that i! the attacker is able to coerce the victim into 'ivin' over the ke#& the victim
has a more i!!icult time en#in' that there is an# ke# to be 'iven over an $hat the attacker is lookin'
at is ;ust ranom ata. Some encr#*tion im*lementations& like truecr#*t& a**roach *lausible eniabilit#
b# creatin' a .hien. volume. %n this a**roach& there are t$o *ass$ors& one $hich unlocks the true
hien volume an another $hich unlocks a !ake volume. When coerce& the victim can 'ive the ke# to
unlock the !ake volume $hile remainin' silent about the true volume.
%! $e take the ieal o! .(ero in!ormation loss. then an# luks-t#*e heaer $hich iscloses the metaata
o! the encr#*te ata com*romises *lausible eniabilit#. %n this case& im*lementations like m-cr#*t
$ithout luks e,tensions or loo*-aes are *re!erre. 8o$ever& in cases $here *lausible eniabilit# is not
an issue& then a luks-t#*e heaer has avanta'es& e'. the hal=bus s#stem in Gnome reco'ni(es the luks
heaer an initiates a ialo' $here the user can enter the *ass$or an obtain the ecr#*te volume as
an icon on the eskto* $hen he *lu's in an encr#*te *en rive. %! all the *otential victim is tr#in' to
*rotect a'ainst is the!t& then eniabilit# is not an issue. But i! it comes to a re*ressive re'ime tr#in' to
commit human ri'ht abuses& then *lausible eniabilit# an (ero in!ormation take on a ne$ imension.
Cryptanalysis with bitmaps
Let0s return to the ori'inal +uestion arme $ith the above kno$le'e. %s it *ossible to reco'ni(e the
i!!erence bet$een >*seuoB ranom ata an encr#*te ata even in the absence o! an# metaata" %0ll
emonstrate belo$ that in some circumstances the ans$er is #es. )o make m# *oints as obvious as
*ossible& %0ll use bitma* ima'es to emonstrate $hat0s 'oin' on. Let0s start $ith our re!erence s#stems
A B A - B
Fig 1
)hese ima'es $ere create usin' )he Gim* as 200,200 26-bit bm* ima'es. >% ha to rener them as
;*' to *ut on the $eb *a'e& but that $as the ver# last ste*. )he ori'inal bitma*s can be obtaine here.B
)he B.bm* !ile re*resents *ure $hite& an its bo# is mae u* o! all he, values --. A.bm* is also
mostl# --0s e,ce*t !or the black A $hich are 000s. )here are also some transitional values at the boarer
bet$een the black A an an $hite back'roun. )he ima'e A-B.bm* $as create b# co*#in' all o!
B.bm* to the cli*boar& an *astin' it into A as a ne$ la#er. )he t$o la#ers $ere then .i!!erence.
usin' the la#er *anel >#ou can brin' it u* usin' Wino$s <K Gockable Gialo's <K La#ersB.
8ere are our re!erence ranom ata ima'es1
@anom 2 @anom 2 @anom 2 - @anom 2
Fig 2
)hese ima'es $ere create usin' the !ollo$in'1
i!<=ev=uranom o!<ranom.bm* count<220046 bs<2
i!<A.bm* o!<ranom.bm* count<46 bs<2 conv<notrunc
)he !irst line creates a ranom !ile the si(e o! A.bm* an the secon line as the 46 b#te bm* heaer.
%t is ientical !or all our bitma*s o! the same si(e so $e can ;ust li!t it !rom A.bm*. % ae this heaer
!or all o! the encr#*te or ranom !iles belo$ as a !inal ste* to rener the !ile as a vie$able bitma*.
%0ll use this *oor man0s cr#*tanal#sis to look at some im*lementations o! encr#*tion. %0ll start $ith *oor
im*lementations an $ork to$ars our best *ractices. Hsin' bitma*s is not ri'orous& but its a nice
techni+ue to illustrate $hat $e0re lookin' !or. At the time o! this $ritin'& %0m coin' u* a suite o! test
base o!! o! Inuth0s $ork on ranom number. Sta# tuneD
Why embed encrypted data within random data and why using cipher block chaining
Almost all so!t$are $hich installs encr#*te s#stems $ill la# o$n ranom ata on the evice !irst an
e!ault to some stron' ci*her >e' 228-bit aesB im*lemente $ith ci*her block chainin'. Let0s use our
bitma* cr#*tanal#sis to see $hat ha**ens i! #ou on0t.
-irst let0s *ut A.bm* $ithin an unencr#*te e,t2 !ile s#stem !or re!erence --- $here o the blocks o!
A.bm* 'et *ut insie a !iles#stem" % *rouce this ima'e as !ollo$s1
i!<=ev=(ero o!<e,t2-A.bm* count<680046 bs<2
losetu* =ev=loo*0 e,t2-A.bm*
mke2!s =ev=loo*0
mount =ev=loo*0 (((=
c* A.bm* (((=
umount (((=
losetu* - =ev=loo*0
i!<A600.bm* o!<e,t2-A.bm* count<46 bs<2 conv<notrunc
Aote that A600.bm* is a 600,600 26-bit bm* $hich is 680046 b#tes in si(e. )he lar'er si(e
accommoates a lar'er !ile !or the e,t2 !iles#stem so that one can co*# A.bm* into it $ithout runnin'
out o! evice s*ace. %t is also commensurate $ith the 200,200 bm* so that the A oesn0t 'et $ra**e
unreco'ni(eabl# $hen the !ile s#stem is renere as a bm* ima'e.
Let0s similarl# *ut A.bm* into a *oorl# encr#*te e,t2 !ile s#stem. 8ere $e make t$o mistakes1 2B $e
o not !irst !ill u* the !ile s#stem $ith >*seuoB ranom ata be!ore encr#*tin' an !ormattin'& an
seconl# $e on0t use an# ci*her block chainin'. )his ima'e $as *rouce as !ollo$s
i!<=ev=(ero o!<e,t2-enc2-A.bm* count<680046 bs<2
losetu* =ev=loo*0 e,t2-enc2-A.bm*
cr#*tsetu* -c aes-ecb create e,t2-enc2-A.bm* =ev=loo*0
mke2!s =ev=ma**er=e,t2-enc2-A.bm*
mount =ev=ma**er=e,t2-enc2-A.bm* (((=
c* A.bm* (((=
umount (((=
msetu* remove e,t2-enc2-A.bm*
losetu* - =ev=loo*0
i!<A600.bm* o!<e,t2-enc2-A.bm* count<46 bs<2 conv<notrunc
Since *ulls its ata out o! =ev=(ero& the !ile s#stem stats $ith a base o! all (eros belo$ the
encr#*tion la#er. Also& cr#*tsetu* -c aes-ecb sets u* a m-cr#*t la#er $ithout an# chainin'& ie& each
block is encr#*te ine*enentl# o! an# other block& so a clear block o! all 00s is al$a#s encr#*te into
the same encr#*te block. )he *attern o! the !ile $ithin the !ile s#stem clearl# emer'es.
-inall#& let0s re*eat the above& but this time $e0ll correct one o! our mistakes. We0ll la# o$n ranom
ata uner the encr#*tion la#er& but $e0ll still use aes-ecb.
Clear e,t2 aes-ecb on Lero back'roun aes-ecb on @anom back'roun
Fig
%ts clear $hat0s ha**enin' here. )he since each block is encr#*te ine*enentl# o! others& the
unerl#in' structure comes throu'h. We are no $here near the ieal o! (ero in!ormation.
Dm!crypt"s de#ault aes!cbc!essiv$sha2%& with random #iller
La#in' o$n a ranom back'roun an chainin' is clearl# im*ortant. )here are several techni+ues o!
chainin'& but the unerl#in' iea is similar. %n CBC moe& the most *o*ular !orm o! chainin'& a block
is MN@e $ith the *revious encr#*te block be!ore it itsel! is encr#*te& thus creatin' a .chain.. An
initiali(ation vector is use !or the ver# !irst block. Since blocks are not encr#*te ine*enentl# o!
other blocks& a block o! sa# all 00s $ill not al$a#s be encr#*te in the same $a#& an the structure o!
the unerl#in' clear !ile s#stem oesn0t emer'e as obviousl# as in ecb. Let0s re*eat the *revious
e,*eriment& but this time& $e0ll use aes-cbc-essiv1sha245. We0ll still use all (eros an ranom ata !or
the unencr#*te back'roun !or com*arison. 8ere0s $hat one 'ets1
Clear e,t2
aes-cbc-essiv1sha245 on Lero
back'roun
aes-cbc-essiv1sha245 on @anom
back'roun
Fig '
)he im*ortance o! a ranom back'roun is a**arent in this e,am*le. )he chainin' certainl# obscure
the structure o! the unerl#in' !ile s#stem& but the outline o! lar'e re'ions o! em*t# s*ace are still
iscernible. When these em*t# re'ions are !ille $ith ranom ata& it becomes nearl# im*ossible to tell
$hat0s encr#*te an $hat is ranom. %n !act& the 228-bit aes-cbc-essiv1sha245 *asses all the stanar
tests !or ranom number on both a local an 'lobal scale --- this is the sub;ect o! another $riteu* that
%0ll *ost another time.
In#ormation leak despite random #iller and chaining
At this *oint the reaer ma# think he0s sa!e an arrive at .(ero in!ormation loss.& but un!ortunatel#&
there is still another kin o! attack that can be launche. )his one e*ens on the attacker bein' able to
$atch the encr#*te !ile s#stem at sna*shots in time. )his mi'ht ha**en& !or instance& i! the victim
backs u* his ata to a har rive $hich he then stores o!! site. %! the attacker sneaks bet$een backu*s
an ima'es the isks& it then become *ossible !or him to launch this kin' o! attacks.
8ere are three emonstrations o! this attack1
aB aes*i*e is able to o*erate in several moes. Nne moe is a 228-bit aes-cbc $ith a sim*le
initiali(ation vector an one *ass$or. Another is multi-ke#-v3 moe& $hich also em*lo#s 228-bit aes-
cbc& but uses 56 i!!erent ke#s to encr#*t the blocks --- the !irst ke# !or the !irst block& the secon !or
the secon an so on in a c#clical !ashion. %t also uses a 54th ke# *lus 9G4 !or the initiali(ation vector.
Still& i! an attacker has access to a !ile s#stem be!ore an a!ter the aition o! ata& evience emer'es o!
the unerl#in' encr#*tion.
)he !ollo$in' bitma*s $ere 'enerate to illustrate the sin'le ke# sim*le initiali(ation vector moe1
aes*i*e O A.bm* K aesA.bm*
aes*i*e O B.bm* K aesB.bm*
i!<A.bm* o!<aesA.bm* count<46 bs<2 conv<notrunc
i!<B.bm* o!<aesB.bm* count<46 bs<2 conv<notrunc
)he Gim* $as then use as escribe above to *rouce aesA-aesB.bm*. 8ere are the results1
A.bm* uner aes-cbc-*lain B.bm* uner aes-cbc-*lain aes A - aes B
Fig %
Nne can com*are these to bitma*s !or multi-ke#-v3. -irst $e 'enerate a !ile containin' the 54 ke#s1
hea -c 2724 =ev=uranom : uuencoe -m - : hea -n 55 : tail -n 54 : '*' --s#mmetric -a K
ke#.'*'
An then $e use the ke# !ile to *rouce the encr#*te bitma*s1
aes*i*e -I ke#.'*' O A.bm* K aesA-v3.bm*
aes*i*e -I ke#.'*' O B.bm* K aesB-v3.bm*
i!<A.bm* o!<aesA-v3.bm* count<46 bs<2 conv<notrunc
i!<A.bm* o!<aesB-v3.bm* count<46 bs<2 conv<notrunc
8ere are the results1
A.bm* uner multike#-v3 aes B.bm* uner multike#-v3 aes
multike#-v3 aes A - multike#-v3 aes
B
Fig &
%ts clear that the chan'e to the !ile s#stem is better blurre but there is still some in!ormation to be
'aine about the unerl#in' unencr#*te ata.
bB Let0s tr# the same test usin' 228-bit aes-cbc-essiv1sha245 on a ranom back'roun. 8ere $e0ll
em*lo# luks e,tensions !or convenience& but this is not necessar#& nor oes it chan'e our conclusions1
i!<=ev=uranom o!<e,t2-enc4-A.bm* count<2080046 bs<2
losetu* =ev=loo*0 e,t2-enc4-A.bm*
cr#*tsetu* luks-ormat =ev=loo*0
cr#*tsetu* luksN*en =ev=loo*0 e,t2-enc4-A.bm*
mke2!s =ev=ma**er=e,t2-enc4-A.bm*
mount =ev=ma**er=e,t2-enc4-A.bm* (((=
c* A.bm* (((=
umount (((=
msetu* remove e,t2-enc4-A.bm*
losetu* - =ev=loo*0
c* e,t2-enc4-A.bm* e,t2-enc4-B.bm*
losetu* =ev=loo*0 e,t2-enc4-B.bm*
cr#*tsetu* luksN*en =ev=loo*0 e,t2-enc4-B.bm*
mount =ev=ma**er=e,t2-enc4-B.bm* (((=
c* B.bm* (((=A.bm*
umount (((=
msetu* remove e,t2-enc4-B.bm*
losetu* - =ev=loo*0
i!<A500.bm* o!<e,t2-enc4-A.bm* count<46 bs<2 conv<notrunc
i!<A500.bm* o!<e,t2-enc4-B.bm* count<46 bs<2 conv<notrunc
8ere are the results1
A.bm* uner aes-cbc-essiv1245 B.bm* uner aes-cbc-essiv1245
aes-cbc1essiv245 A - aes-cbc1essiv245
B
Fig (
cB )o !airl# com*are loo*-aes0s multike#-v3 $ith mcr#*t aes-cbc-essiv1sha245& $e re*eat the *revious
test $ith loo*-aes.
i!<=ev=uranom o!<e,t2-enc5-A.bm* count<2080046 bs<2
losetu* -e A/S228 -I ke#.'*' =ev=loo*0 e,t2-enc5-A.bm*
mke2!s =ev=loo*0
mount =ev=loo*0 (((=
c* A.bm* (((=
umount (((=
losetu* - =ev=loo*0
c* e,t2-enc5-A.bm* e,t2-enc5-B.bm*
losetu* -e A/S228 -I ke#.'*' =ev=loo*0 e,t2-enc5-B.bm*
mount =ev=loo*0 (((=
c* B.bm* (((=A.bm*
umount (((=
losetu* - =ev=loo*0
i!<A500.bm* o!<e,t2-enc5-A.bm* count<46 bs<2 conv<notrunc
i!<A500.bm* o!<e,t2-enc5-B.bm* count<46 bs<2 conv<notrunc
8ere are the results1
A.bm* uner multike#-v3 B.bm* uner multike#-v3 multike#-v3 A - multike#-v3 B
Fig )
%! $e (oom in on the bans& $e can see that multike#-v3 loo*-aes oes a better ;ob than aes-cbc-
essiv1sha245 mcr#*t an hiin' the unerl#in' ata1
Fig *
+est ,ractice
Ao$ that $e kno$ more about ho$ in!ormation can leak !rom an encr#*te !ile s#stem& $e can
conclue $ith some avice !or best *ractices. %n aition to chosin' multike#-v3 loo*-aes& to avoi
e,*osin' the unerl#in' structure o! the clear !ile s#stem& one can tr# !illin' u* the em*t# s*ace $ith
>*seuoB ranom ata. )o illustrate& $e re*eate the *revious e,am*le& but a!ter co*#in' A.bm* into
the !iles#stem& $e !ille u* the remainin' em*t# s*ace as !ollo$s1
c (((
i!<=ev=uranom o!<$aste
When $e remount the s#stem& $e !irst clear the s*ace b# removin' .$aste.& o our $ork an then !ill it
back u* a'ain $ith >*seuoB ranom ata1
c (((
rm $aste
c* ..=B.bm* A.bm*
i!<=ev=uranom o!<$aste
)he results !ollo$1
A.bm* P ranom !iller uner
multike#-v3
B.bm* P ranom !iller uner
multike#-v3
multike#-v3 AP!iller - multike#-
v3 BP!iller
Fig 1-
Some o! the unerl#in' structure is still visible& but it is clear that $e0re 'ettin' closer to the situation in
-i' 2.
-inall#& let0s 'o one more ste*. 8o$ about scatterin' A.bm* throu'h the blocks o! the !ile s#stem& in
other $ors& !ra'mentin' it" Hsuall# one $ants to avoi !ra'mentation because it as latenc# to %N
urin' har rive seeks. )his is not an issue $ith soli state evices& such as *en rives or SSG0s an so
$e shoul consier $hat bene!it is 'aine in terms o! encr#*tion. -irst& let0s see $hat ha**ens to A.bm*
$hen it is !ra'mente on an unencr#*te rive. We o this b# creatin' lots o! little !iles an eletin'
ever# tenth one >an it bit moreB be!ore co*#in' in A.bm*1
i!<=ev=uranom o!<e,t2-!ra'.bm* count<2080046 bs<2
losetu* =ev=loo*0 e,t2-!ra'.bm*
mke2!s -A 2026 =ev=loo*0
mount =ev=loo*0 (((
c (((
!or i in Q>se+ 2 2026B C o i!<=ev=(ero o!<Qi.$aste count<2 bs<2k C one
rm -! R3.$aste
rm -! "3".$aste
c* ..=A.bm* .
c ..
umount (((
i!<A500.bm* o!<e,t2-!ra'.bm* count<46 bs<2 conv<notrunc
8ere is the result1
Fig 11
So let0s moi!# our techni+ue o! !illin' the em*t# s*ace $ith ranom ata b# !urther !orcin' the
!ra'menation o! A.bm* an B.bm*.
i!<=ev=uranom o!<aes-e,t2-!ra'-A.bm* count<2080046 bs<2
losetu* -e A/S228 -I ke#.'*' =ev=loo*0 aes-e,t2-!ra'-A.bm*
mke2!s -A 2026 =ev=loo*0
mount =ev=loo*0 (((=
c (((=
!or i in Q>se+ 2 2026B C o i!<=ev=uranom o!<Qi.$aste count<2 bs<2k C one
rm -! R6.$aste R3.$aste
c* ..=A.bm* .
!or i in Q>se+ 2024 2068B C o i!<=ev=uranom o!<Qi.$aste count<2 bs<2k C one
c ..
umount (((=
losetu* - =ev=loo*0
c* aes-e,t2-!ra'-A.bm* aes-e,t2-!ra'-B.bm*
losetu* -e A/S228 -I ke#.'*' =ev=loo*0 aes-e,t2-!ra'-B.bm*
mount =ev=loo*0 (((=
c (((=
c* ..=B.bm* A.bm*
rm -! R.$aste
c ..
umount (((=
losetu* - =ev=loo*0
Hsin' our subtraction attack& here0s $hat $e !in1
A.bm* P ranom !iller P
!ra'mentation uner multike#-v3
B.bm* P ranom !iller P
!ra'mentation uner multike#-v3
multike#-v3 AP!illerP!ra' -
multike#-v3 BP!illerP!ra'
Fig 12
)he black bans >re'ions o! no chan'eB are still visible as in -i' 20& but are more scattere re!lectin'
the !ra'mentation o! the unerl#in' !ile. %t is unlikel# $e can totall# eliminate these re'ions o!
unchan'e ata because the# *robabl# re*resent the !ile s#stem0s metaata& ie& the i-noes an
su*erblocks.