[cryptography] Practical malleability attack against CBC-Encrypted LUKS partitions

Jeffrey Walton noloader at gmail.com
Sun Dec 22 16:29:13 EST 2013

[Originally sent to Full Disclosure]


I. Abstract

The most popular full disk encryption solution for Linux is LUKS
(Linux Unified Key Setup), which provides an easy to use encryption
layer for block devices. By default, newly generated LUKS devices are
set up with 256-bit AES in CBC mode. Since there is no integrity
protection/checksum, it is obviously possible to destroy parts of
plaintext files by changing the corresponding ciphertext blocks.
Nevertheless many users expect the encryption to make sure that an
attacker can only change the plaintext to an unpredictable random
value. The CBC mode used by default in LUKS however allows some more
targeted manipulation of the plaintext file given that the attacker
knows the original plaintext. This article demonstrates how this can
be used to inject a full remote code execution backdoor into an
encrypted installation of Ubuntu 12.04 created by the alternate
installer (the default installer of Ubuntu 12.04 doesn’t allow setting
up full disk encryption).

More information about the cryptography mailing list