[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-block] [PATCH v3 03/18] qcow: document another weakness of qcow AE
From: |
Daniel P. Berrange |
Subject: |
[Qemu-block] [PATCH v3 03/18] qcow: document another weakness of qcow AES encryption |
Date: |
Thu, 26 Jan 2017 10:18:12 +0000 |
Document that use of guest virtual sector numbers as the basis for
the initialization vectors is a potential weakness, when combined
with internal snapshots or multiple images using the same passphrase.
This fixes the formatting of the itemized list too.
Signed-off-by: Daniel P. Berrange <address@hidden>
---
qemu-img.texi | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/qemu-img.texi b/qemu-img.texi
index 174aae3..db4534b 100644
--- a/qemu-img.texi
+++ b/qemu-img.texi
@@ -544,16 +544,29 @@ The use of encryption in qcow and qcow2 images is
considered to be flawed by
modern cryptography standards, suffering from a number of design problems:
@itemize @minus
address@hidden The AES-CBC cipher is used with predictable initialization
vectors based
address@hidden
+The AES-CBC cipher is used with predictable initialization vectors based
on the sector number. This makes it vulnerable to chosen plaintext attacks
which can reveal the existence of encrypted data.
address@hidden The user passphrase is directly used as the encryption key. A
poorly
address@hidden
+The user passphrase is directly used as the encryption key. A poorly
chosen or short passphrase will compromise the security of the encryption.
address@hidden In the event of the passphrase being compromised there is no way
to
address@hidden
+In the event of the passphrase being compromised there is no way to
change the passphrase to protect data in any qcow images. The files must
be cloned, using a different encryption passphrase in the new file. The
original file must then be securely erased using a program like shred,
though even this is ineffective with many modern storage technologies.
address@hidden
+Initialization vectors used to encrypt sectors are based on the
+guest virtual sector number, instead of the host physical sector. When
+a disk image has multiple internal snapshots this means that data in
+multiple physical sectors is encrypted with the same initialization
+vector. With the CBC mode, this opens the possibility of watermarking
+attacks if the attack can collect multiple sectors encrypted with the
+same IV and some predictable data. Having multiple qcow2 images with
+the same passphrase also exposes this weakness since the passphrase
+is directly used as the key.
@end itemize
Use of qcow / qcow2 encryption is thus strongly discouraged. Users are
--
2.9.3
- [Qemu-block] [PATCH v3 00/18] Convert QCow[2] to QCryptoBlock & add LUKS support, Daniel P. Berrange, 2017/01/26
- [Qemu-block] [PATCH v3 01/18] block: expose crypto option names / defs to other drivers, Daniel P. Berrange, 2017/01/26
- [Qemu-block] [PATCH v3 02/18] block: add ability to set a prefix for opt names, Daniel P. Berrange, 2017/01/26
- [Qemu-block] [PATCH v3 03/18] qcow: document another weakness of qcow AES encryption,
Daniel P. Berrange <=
- [Qemu-block] [PATCH v3 05/18] iotests: skip 042 with qcow which dosn't support zero sized images, Daniel P. Berrange, 2017/01/26
- [Qemu-block] [PATCH v3 04/18] qcow: require image size to be > 1 for new images, Daniel P. Berrange, 2017/01/26
- [Qemu-block] [PATCH v3 06/18] iotests: skip 048 with qcow which doesn't support resize, Daniel P. Berrange, 2017/01/26
- [Qemu-block] [PATCH v3 07/18] iotests: fix 097 when run with qcow, Daniel P. Berrange, 2017/01/26
- [Qemu-block] [PATCH v3 08/18] qcow: make encrypt_sectors encrypt in place, Daniel P. Berrange, 2017/01/26
- [Qemu-block] [PATCH v3 09/18] qcow: convert QCow to use QCryptoBlock for encryption, Daniel P. Berrange, 2017/01/26
- [Qemu-block] [PATCH v3 10/18] qcow2: make qcow2_encrypt_sectors encrypt in place, Daniel P. Berrange, 2017/01/26
- [Qemu-block] [PATCH v3 11/18] qcow2: convert QCow2 to use QCryptoBlock for encryption, Daniel P. Berrange, 2017/01/26
- [Qemu-block] [PATCH v3 12/18] qcow2: extend specification to cover LUKS encryption, Daniel P. Berrange, 2017/01/26
- [Qemu-block] [PATCH v3 15/18] iotests: enable tests 134 and 158 to work with qcow (v1), Daniel P. Berrange, 2017/01/26