[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] Describe flaws in qcow/qcow2 encryption in the
From: |
Eric Blake |
Subject: |
Re: [Qemu-devel] [PATCH] Describe flaws in qcow/qcow2 encryption in the docs |
Date: |
Wed, 22 Jan 2014 06:21:24 -0700 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 |
On 01/22/2014 04:36 AM, Daniel P. Berrange wrote:
> The qemu-img.texi / qemu-doc.texi files currently describe the
> qcow2/qcow2 encryption thus
>
> "Encryption uses the AES format which is very secure (128 bit
> keys). Use a long password (16 characters) to get maximum
> protection."
>
> While AES is indeed a strong encryption system, the way that
> QCow/QCow2 use it results in a poor/weak encryption system.
> Due to the use of predictable IVs it is vulnerable to chosen
> plaintext attacks which can reveal the existance of encrypted
s/existance/existence/
> data.
>
> The direct use of the user passphrase as the encryption key
> also leads to an inability to change the passphrase of an
> image. If passphrase is ever compromised the image data will
> all be vulnerable, since it cannot be re-encrypted. The admin
> has to clone the image files with a new passphrase and then
> use a program like shred to secure erase all the old files.
>
> Recommend against any use of QCow/QCow2 encryption, directing
> users to dm-crypt / LUKS which can meet modern cryptography
> best practices.
>
> Signed-off-by: Daniel P. Berrange <address@hidden>
> ---
> qemu-doc.texi | 23 ++++++++++++++++++++---
> qemu-img.texi | 23 ++++++++++++++++++++---
> 2 files changed, 40 insertions(+), 6 deletions(-)
>
> +
> +The use of encryption in QCow and QCow2 images is considered to flawed by
> modern
> +cryptography standards, suffering from a number of design problems
s/$/:/
> +
> address@hidden @minus
> address@hidden The AES-CBC cipher is used with predictable initialization
> vectors based
> +on the sector number. This makes it vulnerable to chosen plaintext attacks
> +which can reveal the existence of encrypted data.
> address@hidden The user passphrase is directly used as the encryption key. A
> poorly
> +choosen / short passphrase will compromise the security of the encryption.
s/choosen/chosen/
> +In the event of the passphrase being compromised there is no way to change
Maybe s/^/@item / ? After all, the need to clone/shred after compromise
is there whether the passphrase was poorly chosen or maximally chosen,
it's just that poorly chosen is more likely to be easily compromised.
> +++ b/qemu-img.texi
> address@hidden The user passphrase is directly used as the encryption key. A
> poorly
> +choosen / short passphrase will compromise the security of the encryption.
Copy and paste the fixes above here, too.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature