[cryptography] ZFS dedup? hashes (Re: [zfs] SHA-3 winner announced)

Adam Back adam at cypherspace.org
Thu Oct 4 08:39:35 EDT 2012


On Thu, Oct 04, 2012 at 11:47:08AM +0200, Jim Klimov wrote:
>> [decrypting or confirming encrypted or ACLed documents via dedup]
>> eg say a form letter where the only blanks to fill in are the name (known
>> suspected) and a figure (<1,000,000 possible values).
>
>What sort of attack do you suggest? That a storage user (attacker)
>pre-creates a million files of this form with filled-in data?

The otherway around - let the victim store their confidential but low
entropy file.  Then the attacker writes all permutations, and does timing or
disk free stats or other side channel to tell which was the correct guess.

Given that one can get a private key out of an RSA private key holding
server by being another unprivileged process, based on cache lines, timing
etc it seems to me likely you would be able to tell dedup.  And maybe you
can dedup lots of times, eg create, delete, wait for space reclaim, write
again (to get better accuracy stats from having lots of timing samples.)

Its not just encryption, but another unprivileged user on the same system,
where the file permissions are supposed to prevent you reading the contents
of the file.  Dedup could break those assumptions allowing an ACLed file to
be read/confirmed (and decrypted if it were encrypted - if the encryption is
at the disk level, not per user keying).

Adam



More information about the cryptography mailing list