0% found this document useful (0 votes)
50 views14 pages

Random Versus Encrypted Data

[2008]
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
50 views14 pages

Random Versus Encrypted Data

[2008]
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

2008 A. G. Basile. Creative Commons Attribution-Share Alike 3.0 License.

Random versus Encrypted Data


Introduction
What oes it mean !or in!ormation to be leake" What is in!ormation an#$a#s" %! $e come across
some ata& can $e tell i! it contains in!ormation or not" %s it even meanin'!ul to talk about ata $hich
carries (ero in!ormation" )hese are im*ortant +uestions $hen it comes to encr#*tin' !ile s#stems&
because& as % $ill sho$ belo$& there are small amounts o! in!ormation leake even in our best
encr#*te s#stem.
%! $e start b# e!inin' in!ormation as ata containin' a messa'e then the o**osite o! in!ormation& or
(ero in!ormation& is ranom ata& ie& ata $hich ma# con!orm to some s*ectral *arameters but oes not
e,hibit an# correlation bet$een ata elements. %n orer !or ata to carr# a messa'e& elements in the
se+uence must be correlate in some $a#. -or e,am*le& .c. !ollo$e b# .a. !ollo$e b# .t. conve#s
the messa'e .cat. --- the orer is im*ortant as is the *ro,imit# o! the characters& an $ithin the canon
o! the /n'lish lan'ua'e& this messa'e elicits the ima'e o! a !u((# creature $hich *urrs. )his
correlation& e,tene over the ata se+uence& 'ives the messa'e. Since .ranom. b# e!inition means
that there are no correlation& there can be no messa'e. )he ieal then in encr#*tion $oul be to create a
s#stem that cannot be istin'uishe b# an# means an uner an# circumstances !rom ranom ata. %0m
not sure this is even *ossible& but % can sho$ $a#s in $hich $e !all short o! the ieal.
)o illustrate these *oints& consier the !ollo$in' t$o strin's o! ranom he, i'its1
b228344545b!b20!8be2c05526a!44
02b!24c2c786b3082808662!ee800
Which stin' contains ranom ata an $hich contains encr#*te ata" )his is a trick +uestion because
the truth is& neither oes. )he !irst strin' $as 'enerate usin'
echo .8i 9om. : aes*i*e : ,, -*s
$ith *ass$or .as!;kl+$eruio*(,cvnm. $hile the secon $as 'enerate usin'
i!<=ev=uranom count<25 bs<2 : ,, -*s
$hich is a se+uence calculate b# the kernel0s non-blockin' *seuo-ranom number 'enerator >?@AGB.
?@AG0s are similar to encr#*tion al'orithms in that the# use mathematical !ormulas to 'enerate
subse+uent elements o! the se+uence. )he# con!orm to certain s*ectral re+uirements >e' heas or tails
are e+uall# *robabl#B an eneavor to is'uise correlation& an so the# act as ecent a**ro,imations to
ranom number se+uences. A better $a# to 'enerate ranom numbers is to use ranom *h#sical events&
like rollin' ice or $eather !luctuations. )he kernel *rovies =ev=ranom that 'athers it entro*# >ie
ranomnessB !rom the har$areC ho$ever& since this re+uires s#stem activit# to accumulate be!ore it
can eliver those ranom numbers& it blocks. )r# usin' i!<=ev=ranom instea o! =ev=uranom in
the e,am*les belo$ an #ou0ll see ho$ anno#in' the $ait can beD %0ll use uranom throu'hout& but to
make these true tests& $e shoul use ranom.
A !e$ more *oints to note be!ore movin' one1
2B %t shoul not matter $hether the attacker kno$s $hat c#*her $as use in encr#*tin' the messa'e ---
in the above case % use 228-bit A/S. )he messa'e is sa!e unless he also kno$s the secret *ass$or. A
cracke ci*her is one in $hich the attacker can obtain the clear messa'e $ithout the secret in a
reasonable about o! time. 9athematicall#&
ecr#*tion < -> encr#*te messa'e& ci*her& secret B
runs in a reasonable amount o! c*u time an 'ives 'arba'e unless the ri'ht secret is su**lie. %n our
e,am*le&
echo -n .b228344545b!b20!8be2c05526a!44. : ,, -r -*s : aes*i*e -
returns .8i 9om. onl# $hen $e su**l# the ri'ht secret. %t uses onl# !ractions o! a secon o! c*u time
an *re*enin' .time. to the above comman 'ives1
real 0m3.062s
user 0m0.000s
s#s 0m0.028s
%n contrast& a !unction like this
ecr#*tion < G> encr#*te messa'e& ci*her B
$hich runs in a reasonable amount o! c*u time oes not e,ist !or a 'oo ci*her. %! it i an $ere
!oun& then $e $oul sa# that the ci*her is cracke. Since the ke# si(e is 228-bits& this means there are
2E228 < 3.6,20E38 *ossible ke#s to tr# an one an onl# one $ill ecr#*t the messa'e. Since each
attem*t takes about 0.03s this means a brute !orce attack $oul take about 20E33s < about 20E27
li!etimes o! the kno$n universe. )o cover this ke# s*ace& aes*i*e insists on a *ass$or o! 20 chars lon'
or more. %ncluin' u**er=lo$er=numbers=s*ecial chars& this means 76 *ossibilities !or each char an
76E20 < 2.7,20E37. %ts u* to the user no$ to choose ranoml# $ithin this *ass$or s*aces --- 'oo
luckD Since humans *re!er eas# to remember *ass$ors to har& the actual istribution o! chosen
*ass$ors is not uni!orm an so brute !orce attacks& like Fohn the @i**er.& *rocee b# tr#in' more
*robable *ass$ors be!ore less *robabl# ones& leain' to a ictionar# attack.
2B Since kno$in' the ci*her shoul not 'ive the attacker an# avanta'e& some im*lementations& like
the luks e,tension to m-cr#*t announce it in a heaer. 8ere0s an e,am*le obtaine usin' the !ollo$in'
commans1
i!<=ev=uranom o!<mcr#*t-luks-A.bm* count<2 bs<29
losetu* =ev=loo*0 mcr#*t-luks-A.bm*
cr#*tsetu* luks-ormat =ev=loo*0
he,um* -C =ev=loo*0 : more
00000000 4c 55 4b 53 ba be 00 01 61 65 73 00 00 00 00 00 |LUKS....aes.....|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 63 62 63 2d 65 73 73 69 |........cbc-essi|
00000030 76 3a 73 68 61 32 35 36 00 00 00 00 00 00 00 00 |v:sha256........|
00000040 00 00 00 00 00 00 00 00 73 68 61 31 00 00 00 00 |........sha1....|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 04 08 00 00 00 10 |................|
00000070 ca 4e ae 89 ce d0 83 9e 6b aa 2d 74 8d ae 9d 56 |.N......k.-t...|
00000080 2e !1 63 81 69 18 a9 99 b5 c! 33 47 0e 03 !3 bd |..c.i.....3"....|
00000090 a0 b8 15 65 85 2e 6e !3 22 a1 7a 2e 2d a4 !6 50 |...e..#.$.%.-..&|
000000a0 73 69 07 !! 00 00 00 0a 39 62 37 62 62 33 64 32 |si......9b7bb3d2|
000000b0 2d 37 62 31 63 2d 34 66 63 39 2d 39 32 33 36 2d |-7b1c-4!c9-9236-|
000000c0 39 36 61 61 64 31 36 64 62 36 35 65 00 00 00 00 |96aad16db65e....|
000000d0 00 ac 71 !3 00 04 18 31 ee c0 18 69 ed 2b d9 5d |..'....1...i.(.)|
000000e0 6e 55 b0 53 66 8d a1 13 e9 75 a9 80 !d 0e bb 38 |#U.S!....*.....8|
000000!0 6c c5 4b 40 b9 c7 ee 2d 00 00 00 08 00 00 0! a0 |+.K,...-........|
)he he,um* is *rett# clear& but to make it even easier cr#*tsetu* *rovies a utilit# $hich $ill *resent
this in!ormation in a human reaable !orm. )he !ollo$in'
cr#*tsetu* luksGum* =ev=loo*0
#iels
LHIS heaer in!ormation !or =ev=loo*0
Jersion1 2
Ci*her name1 aes
Ci*her moe1 cbc-essiv1sha245
8ash s*ec1 sha2
?a#loa o!!set1 2032
9I bits1 228
9I i'est1 ca 6e ae 87 ce 0 83 7e 5b aa 2 36 8 ae 7 45 2e !2 53 82
9I salt1 57 28 a7 77 b4 c! 33 63 0e 03 !3 b a0 b8 24 54
84 2e 5e !3 22 a2 3a 2e 2 a6 !5 40 33 57 03 !!
9I iterations1 20
HH%G1 7b3bb32-3b2c-6!c7-7235-75aa25b54e
Ie# Slot 01 /AABL/G
%terations1 258333
Salt1 ee c0 28 57 e 2b 7 4 5e 44 b0 43 55 8 a2 23
e7 34 a7 80 ! 0e bb 38 5c c4 6b 60 b7 c3 ee 2
Ie# material o!!set1 8
A- stri*es1 6000
Ie# Slot 21 G%SABL/G
Ie# Slot 21 G%SABL/G
Ie# Slot 31 G%SABL/G
Ie# Slot 61 G%SABL/G
Ie# Slot 41 G%SABL/G
Ie# Slot 51 G%SABL/G
Ie# Slot 31 G%SABL/G
While none o! this in!ormation hel*s the attacker to ecoe the encr#*te ata $hich !ollo$s the
heaer& it oes 'ive a$a# some in!ormation. %t sa#s .$hat !ollo$s is encr#*te ata& it is encoe usin'
228-bit A/S& the moe in $hich this encr#*tion is use is ci*her block-chainin' $ith initiali(ation
vector calculate usin' sha245 .... )his is harmless enou'h e,ce*t that it iminishes plausible
deniability meanin' that i! the attacker is able to coerce the victim into 'ivin' over the ke#& the victim
has a more i!!icult time en#in' that there is an# ke# to be 'iven over an $hat the attacker is lookin'
at is ;ust ranom ata. Some encr#*tion im*lementations& like truecr#*t& a**roach *lausible eniabilit#
b# creatin' a .hien. volume. %n this a**roach& there are t$o *ass$ors& one $hich unlocks the true
hien volume an another $hich unlocks a !ake volume. When coerce& the victim can 'ive the ke# to
unlock the !ake volume $hile remainin' silent about the true volume.
%! $e take the ieal o! .(ero in!ormation loss. then an# luks-t#*e heaer $hich iscloses the metaata
o! the encr#*te ata com*romises *lausible eniabilit#. %n this case& im*lementations like m-cr#*t
$ithout luks e,tensions or loo*-aes are *re!erre. 8o$ever& in cases $here *lausible eniabilit# is not
an issue& then a luks-t#*e heaer has avanta'es& e'. the hal=bus s#stem in Gnome reco'ni(es the luks
heaer an initiates a ialo' $here the user can enter the *ass$or an obtain the ecr#*te volume as
an icon on the eskto* $hen he *lu's in an encr#*te *en rive. %! all the *otential victim is tr#in' to
*rotect a'ainst is the!t& then eniabilit# is not an issue. But i! it comes to a re*ressive re'ime tr#in' to
commit human ri'ht abuses& then *lausible eniabilit# an (ero in!ormation take on a ne$ imension.
Cryptanalysis with bitmaps
Let0s return to the ori'inal +uestion arme $ith the above kno$le'e. %s it *ossible to reco'ni(e the
i!!erence bet$een >*seuoB ranom ata an encr#*te ata even in the absence o! an# metaata" %0ll
emonstrate belo$ that in some circumstances the ans$er is #es. )o make m# *oints as obvious as
*ossible& %0ll use bitma* ima'es to emonstrate $hat0s 'oin' on. Let0s start $ith our re!erence s#stems
A B A - B
Fig 1
)hese ima'es $ere create usin' )he Gim* as 200,200 26-bit bm* ima'es. >% ha to rener them as
;*' to *ut on the $eb *a'e& but that $as the ver# last ste*. )he ori'inal bitma*s can be obtaine here.B
)he B.bm* !ile re*resents *ure $hite& an its bo# is mae u* o! all he, values --. A.bm* is also
mostl# --0s e,ce*t !or the black A $hich are 000s. )here are also some transitional values at the boarer
bet$een the black A an an $hite back'roun. )he ima'e A-B.bm* $as create b# co*#in' all o!
B.bm* to the cli*boar& an *astin' it into A as a ne$ la#er. )he t$o la#ers $ere then .i!!erence.
usin' the la#er *anel >#ou can brin' it u* usin' Wino$s <K Gockable Gialo's <K La#ersB.
8ere are our re!erence ranom ata ima'es1
@anom 2 @anom 2 @anom 2 - @anom 2
Fig 2
)hese ima'es $ere create usin' the !ollo$in'1
i!<=ev=uranom o!<ranom.bm* count<220046 bs<2
i!<A.bm* o!<ranom.bm* count<46 bs<2 conv<notrunc
)he !irst line creates a ranom !ile the si(e o! A.bm* an the secon line as the 46 b#te bm* heaer.
%t is ientical !or all our bitma*s o! the same si(e so $e can ;ust li!t it !rom A.bm*. % ae this heaer
!or all o! the encr#*te or ranom !iles belo$ as a !inal ste* to rener the !ile as a vie$able bitma*.
%0ll use this *oor man0s cr#*tanal#sis to look at some im*lementations o! encr#*tion. %0ll start $ith *oor
im*lementations an $ork to$ars our best *ractices. Hsin' bitma*s is not ri'orous& but its a nice
techni+ue to illustrate $hat $e0re lookin' !or. At the time o! this $ritin'& %0m coin' u* a suite o! test
base o!! o! Inuth0s $ork on ranom number. Sta# tuneD
Why embed encrypted data within random data and why using cipher block chaining
Almost all so!t$are $hich installs encr#*te s#stems $ill la# o$n ranom ata on the evice !irst an
e!ault to some stron' ci*her >e' 228-bit aesB im*lemente $ith ci*her block chainin'. Let0s use our
bitma* cr#*tanal#sis to see $hat ha**ens i! #ou on0t.
-irst let0s *ut A.bm* $ithin an unencr#*te e,t2 !ile s#stem !or re!erence --- $here o the blocks o!
A.bm* 'et *ut insie a !iles#stem" % *rouce this ima'e as !ollo$s1
i!<=ev=(ero o!<e,t2-A.bm* count<680046 bs<2
losetu* =ev=loo*0 e,t2-A.bm*
mke2!s =ev=loo*0
mount =ev=loo*0 (((=
c* A.bm* (((=
umount (((=
losetu* - =ev=loo*0
i!<A600.bm* o!<e,t2-A.bm* count<46 bs<2 conv<notrunc
Aote that A600.bm* is a 600,600 26-bit bm* $hich is 680046 b#tes in si(e. )he lar'er si(e
accommoates a lar'er !ile !or the e,t2 !iles#stem so that one can co*# A.bm* into it $ithout runnin'
out o! evice s*ace. %t is also commensurate $ith the 200,200 bm* so that the A oesn0t 'et $ra**e
unreco'ni(eabl# $hen the !ile s#stem is renere as a bm* ima'e.
Let0s similarl# *ut A.bm* into a *oorl# encr#*te e,t2 !ile s#stem. 8ere $e make t$o mistakes1 2B $e
o not !irst !ill u* the !ile s#stem $ith >*seuoB ranom ata be!ore encr#*tin' an !ormattin'& an
seconl# $e on0t use an# ci*her block chainin'. )his ima'e $as *rouce as !ollo$s
i!<=ev=(ero o!<e,t2-enc2-A.bm* count<680046 bs<2
losetu* =ev=loo*0 e,t2-enc2-A.bm*
cr#*tsetu* -c aes-ecb create e,t2-enc2-A.bm* =ev=loo*0
mke2!s =ev=ma**er=e,t2-enc2-A.bm*
mount =ev=ma**er=e,t2-enc2-A.bm* (((=
c* A.bm* (((=
umount (((=
msetu* remove e,t2-enc2-A.bm*
losetu* - =ev=loo*0
i!<A600.bm* o!<e,t2-enc2-A.bm* count<46 bs<2 conv<notrunc
Since *ulls its ata out o! =ev=(ero& the !ile s#stem stats $ith a base o! all (eros belo$ the
encr#*tion la#er. Also& cr#*tsetu* -c aes-ecb sets u* a m-cr#*t la#er $ithout an# chainin'& ie& each
block is encr#*te ine*enentl# o! an# other block& so a clear block o! all 00s is al$a#s encr#*te into
the same encr#*te block. )he *attern o! the !ile $ithin the !ile s#stem clearl# emer'es.
-inall#& let0s re*eat the above& but this time $e0ll correct one o! our mistakes. We0ll la# o$n ranom
ata uner the encr#*tion la#er& but $e0ll still use aes-ecb.
Clear e,t2 aes-ecb on Lero back'roun aes-ecb on @anom back'roun
Fig
%ts clear $hat0s ha**enin' here. )he since each block is encr#*te ine*enentl# o! others& the
unerl#in' structure comes throu'h. We are no $here near the ieal o! (ero in!ormation.
Dm!crypt"s de#ault aes!cbc!essiv$sha2%& with random #iller
La#in' o$n a ranom back'roun an chainin' is clearl# im*ortant. )here are several techni+ues o!
chainin'& but the unerl#in' iea is similar. %n CBC moe& the most *o*ular !orm o! chainin'& a block
is MN@e $ith the *revious encr#*te block be!ore it itsel! is encr#*te& thus creatin' a .chain.. An
initiali(ation vector is use !or the ver# !irst block. Since blocks are not encr#*te ine*enentl# o!
other blocks& a block o! sa# all 00s $ill not al$a#s be encr#*te in the same $a#& an the structure o!
the unerl#in' clear !ile s#stem oesn0t emer'e as obviousl# as in ecb. Let0s re*eat the *revious
e,*eriment& but this time& $e0ll use aes-cbc-essiv1sha245. We0ll still use all (eros an ranom ata !or
the unencr#*te back'roun !or com*arison. 8ere0s $hat one 'ets1
Clear e,t2
aes-cbc-essiv1sha245 on Lero
back'roun
aes-cbc-essiv1sha245 on @anom
back'roun
Fig '
)he im*ortance o! a ranom back'roun is a**arent in this e,am*le. )he chainin' certainl# obscure
the structure o! the unerl#in' !ile s#stem& but the outline o! lar'e re'ions o! em*t# s*ace are still
iscernible. When these em*t# re'ions are !ille $ith ranom ata& it becomes nearl# im*ossible to tell
$hat0s encr#*te an $hat is ranom. %n !act& the 228-bit aes-cbc-essiv1sha245 *asses all the stanar
tests !or ranom number on both a local an 'lobal scale --- this is the sub;ect o! another $riteu* that
%0ll *ost another time.
In#ormation leak despite random #iller and chaining
At this *oint the reaer ma# think he0s sa!e an arrive at .(ero in!ormation loss.& but un!ortunatel#&
there is still another kin o! attack that can be launche. )his one e*ens on the attacker bein' able to
$atch the encr#*te !ile s#stem at sna*shots in time. )his mi'ht ha**en& !or instance& i! the victim
backs u* his ata to a har rive $hich he then stores o!! site. %! the attacker sneaks bet$een backu*s
an ima'es the isks& it then become *ossible !or him to launch this kin' o! attacks.
8ere are three emonstrations o! this attack1
aB aes*i*e is able to o*erate in several moes. Nne moe is a 228-bit aes-cbc $ith a sim*le
initiali(ation vector an one *ass$or. Another is multi-ke#-v3 moe& $hich also em*lo#s 228-bit aes-
cbc& but uses 56 i!!erent ke#s to encr#*t the blocks --- the !irst ke# !or the !irst block& the secon !or
the secon an so on in a c#clical !ashion. %t also uses a 54th ke# *lus 9G4 !or the initiali(ation vector.
Still& i! an attacker has access to a !ile s#stem be!ore an a!ter the aition o! ata& evience emer'es o!
the unerl#in' encr#*tion.
)he !ollo$in' bitma*s $ere 'enerate to illustrate the sin'le ke# sim*le initiali(ation vector moe1
aes*i*e O A.bm* K aesA.bm*
aes*i*e O B.bm* K aesB.bm*
i!<A.bm* o!<aesA.bm* count<46 bs<2 conv<notrunc
i!<B.bm* o!<aesB.bm* count<46 bs<2 conv<notrunc
)he Gim* $as then use as escribe above to *rouce aesA-aesB.bm*. 8ere are the results1
A.bm* uner aes-cbc-*lain B.bm* uner aes-cbc-*lain aes A - aes B
Fig %
Nne can com*are these to bitma*s !or multi-ke#-v3. -irst $e 'enerate a !ile containin' the 54 ke#s1
hea -c 2724 =ev=uranom : uuencoe -m - : hea -n 55 : tail -n 54 : '*' --s#mmetric -a K
ke#.'*'
An then $e use the ke# !ile to *rouce the encr#*te bitma*s1
aes*i*e -I ke#.'*' O A.bm* K aesA-v3.bm*
aes*i*e -I ke#.'*' O B.bm* K aesB-v3.bm*
i!<A.bm* o!<aesA-v3.bm* count<46 bs<2 conv<notrunc
i!<A.bm* o!<aesB-v3.bm* count<46 bs<2 conv<notrunc
8ere are the results1
A.bm* uner multike#-v3 aes B.bm* uner multike#-v3 aes
multike#-v3 aes A - multike#-v3 aes
B
Fig &
%ts clear that the chan'e to the !ile s#stem is better blurre but there is still some in!ormation to be
'aine about the unerl#in' unencr#*te ata.
bB Let0s tr# the same test usin' 228-bit aes-cbc-essiv1sha245 on a ranom back'roun. 8ere $e0ll
em*lo# luks e,tensions !or convenience& but this is not necessar#& nor oes it chan'e our conclusions1
i!<=ev=uranom o!<e,t2-enc4-A.bm* count<2080046 bs<2
losetu* =ev=loo*0 e,t2-enc4-A.bm*
cr#*tsetu* luks-ormat =ev=loo*0
cr#*tsetu* luksN*en =ev=loo*0 e,t2-enc4-A.bm*
mke2!s =ev=ma**er=e,t2-enc4-A.bm*
mount =ev=ma**er=e,t2-enc4-A.bm* (((=
c* A.bm* (((=
umount (((=
msetu* remove e,t2-enc4-A.bm*
losetu* - =ev=loo*0
c* e,t2-enc4-A.bm* e,t2-enc4-B.bm*
losetu* =ev=loo*0 e,t2-enc4-B.bm*
cr#*tsetu* luksN*en =ev=loo*0 e,t2-enc4-B.bm*
mount =ev=ma**er=e,t2-enc4-B.bm* (((=
c* B.bm* (((=A.bm*
umount (((=
msetu* remove e,t2-enc4-B.bm*
losetu* - =ev=loo*0
i!<A500.bm* o!<e,t2-enc4-A.bm* count<46 bs<2 conv<notrunc
i!<A500.bm* o!<e,t2-enc4-B.bm* count<46 bs<2 conv<notrunc
8ere are the results1
A.bm* uner aes-cbc-essiv1245 B.bm* uner aes-cbc-essiv1245
aes-cbc1essiv245 A - aes-cbc1essiv245
B
Fig (
cB )o !airl# com*are loo*-aes0s multike#-v3 $ith mcr#*t aes-cbc-essiv1sha245& $e re*eat the *revious
test $ith loo*-aes.
i!<=ev=uranom o!<e,t2-enc5-A.bm* count<2080046 bs<2
losetu* -e A/S228 -I ke#.'*' =ev=loo*0 e,t2-enc5-A.bm*
mke2!s =ev=loo*0
mount =ev=loo*0 (((=
c* A.bm* (((=
umount (((=
losetu* - =ev=loo*0
c* e,t2-enc5-A.bm* e,t2-enc5-B.bm*
losetu* -e A/S228 -I ke#.'*' =ev=loo*0 e,t2-enc5-B.bm*
mount =ev=loo*0 (((=
c* B.bm* (((=A.bm*
umount (((=
losetu* - =ev=loo*0
i!<A500.bm* o!<e,t2-enc5-A.bm* count<46 bs<2 conv<notrunc
i!<A500.bm* o!<e,t2-enc5-B.bm* count<46 bs<2 conv<notrunc
8ere are the results1
A.bm* uner multike#-v3 B.bm* uner multike#-v3 multike#-v3 A - multike#-v3 B
Fig )
%! $e (oom in on the bans& $e can see that multike#-v3 loo*-aes oes a better ;ob than aes-cbc-
essiv1sha245 mcr#*t an hiin' the unerl#in' ata1
Fig *
+est ,ractice
Ao$ that $e kno$ more about ho$ in!ormation can leak !rom an encr#*te !ile s#stem& $e can
conclue $ith some avice !or best *ractices. %n aition to chosin' multike#-v3 loo*-aes& to avoi
e,*osin' the unerl#in' structure o! the clear !ile s#stem& one can tr# !illin' u* the em*t# s*ace $ith
>*seuoB ranom ata. )o illustrate& $e re*eate the *revious e,am*le& but a!ter co*#in' A.bm* into
the !iles#stem& $e !ille u* the remainin' em*t# s*ace as !ollo$s1
c (((
i!<=ev=uranom o!<$aste
When $e remount the s#stem& $e !irst clear the s*ace b# removin' .$aste.& o our $ork an then !ill it
back u* a'ain $ith >*seuoB ranom ata1
c (((
rm $aste
c* ..=B.bm* A.bm*
i!<=ev=uranom o!<$aste
)he results !ollo$1
A.bm* P ranom !iller uner
multike#-v3
B.bm* P ranom !iller uner
multike#-v3
multike#-v3 AP!iller - multike#-
v3 BP!iller
Fig 1-
Some o! the unerl#in' structure is still visible& but it is clear that $e0re 'ettin' closer to the situation in
-i' 2.
-inall#& let0s 'o one more ste*. 8o$ about scatterin' A.bm* throu'h the blocks o! the !ile s#stem& in
other $ors& !ra'mentin' it" Hsuall# one $ants to avoi !ra'mentation because it as latenc# to %N
urin' har rive seeks. )his is not an issue $ith soli state evices& such as *en rives or SSG0s an so
$e shoul consier $hat bene!it is 'aine in terms o! encr#*tion. -irst& let0s see $hat ha**ens to A.bm*
$hen it is !ra'mente on an unencr#*te rive. We o this b# creatin' lots o! little !iles an eletin'
ever# tenth one >an it bit moreB be!ore co*#in' in A.bm*1
i!<=ev=uranom o!<e,t2-!ra'.bm* count<2080046 bs<2
losetu* =ev=loo*0 e,t2-!ra'.bm*
mke2!s -A 2026 =ev=loo*0
mount =ev=loo*0 (((
c (((
!or i in Q>se+ 2 2026B C o i!<=ev=(ero o!<Qi.$aste count<2 bs<2k C one
rm -! R3.$aste
rm -! "3".$aste
c* ..=A.bm* .
c ..
umount (((
i!<A500.bm* o!<e,t2-!ra'.bm* count<46 bs<2 conv<notrunc
8ere is the result1
Fig 11
So let0s moi!# our techni+ue o! !illin' the em*t# s*ace $ith ranom ata b# !urther !orcin' the
!ra'menation o! A.bm* an B.bm*.
i!<=ev=uranom o!<aes-e,t2-!ra'-A.bm* count<2080046 bs<2
losetu* -e A/S228 -I ke#.'*' =ev=loo*0 aes-e,t2-!ra'-A.bm*
mke2!s -A 2026 =ev=loo*0
mount =ev=loo*0 (((=
c (((=
!or i in Q>se+ 2 2026B C o i!<=ev=uranom o!<Qi.$aste count<2 bs<2k C one
rm -! R6.$aste R3.$aste
c* ..=A.bm* .
!or i in Q>se+ 2024 2068B C o i!<=ev=uranom o!<Qi.$aste count<2 bs<2k C one
c ..
umount (((=
losetu* - =ev=loo*0
c* aes-e,t2-!ra'-A.bm* aes-e,t2-!ra'-B.bm*
losetu* -e A/S228 -I ke#.'*' =ev=loo*0 aes-e,t2-!ra'-B.bm*
mount =ev=loo*0 (((=
c (((=
c* ..=B.bm* A.bm*
rm -! R.$aste
c ..
umount (((=
losetu* - =ev=loo*0
Hsin' our subtraction attack& here0s $hat $e !in1
A.bm* P ranom !iller P
!ra'mentation uner multike#-v3
B.bm* P ranom !iller P
!ra'mentation uner multike#-v3
multike#-v3 AP!illerP!ra' -
multike#-v3 BP!illerP!ra'
Fig 12
)he black bans >re'ions o! no chan'eB are still visible as in -i' 20& but are more scattere re!lectin'
the !ra'mentation o! the unerl#in' !ile. %t is unlikel# $e can totall# eliminate these re'ions o!
unchan'e ata because the# *robabl# re*resent the !ile s#stem0s metaata& ie& the i-noes an
su*erblocks.

You might also like