Article:
  Userspace Filesystem Encryption with EncFS
Subject:   Comparison to loop-aes?
Date:   2005-04-16 16:58:13
From:   moopst
Response to: Comparison to loop-aes?

I think the fact that the files are there with the same sizes means you could attack this more easily. All of my digital pictures are about 1.5-1.6 MB. Suppose you had two dozen spreadsheets, all around 25k, and they all have the same information in their header (like some sort of xml doctype declaration for example). You could make some assumptions and go after the key using that.


I don't know about loop-aes but I would like to see everything encrypted, even the linked list for the file blocks, so that a fragmented file looks even harder to read because you can't follow its bits sequentially until you break the code.


However I really do like the backup feature. I'm going to look into using this at work on Solaris. We have some files with encrypted passwords in them.


Full Threads Oldest First

Showing messages 1 through 2 of 2.

  • not so easy
    2005-04-17 06:57:23  vgough [View]

    Encfs will use either Blowfish or AES from the OpenSSL library, with key lengths from 128bit to 256bits.

    The kind of attack you are talking about (failes having known headers) is a type of "known-plaintext" attack. However you drastically overestimate the efficiency of such an attack. Even if your drive was so bit that it contained every byte of data in the world, and the attacker had both the plaintext and encrypted versions, there is still no published way to get the AES key given that data. So having some images and spreadsheets around isn't going to be enough by a long shot.

    You might be thinking of a known-plaintext attack against the kernel loopback system not so long ago, which I believe was really a dictionary attack. Because of the way the loopback driver had encrypted the data, it was possible pre-compute the encrypted data that would result for particular passwords. So an attacker could create a big dictionary of pre-computed encrypted data and simply test against some known bytes on the drive to see if one of those passwords was in use. Encfs does not allow this, as two different encfs filesystems will always have different encrypted data - even if the same data is stored in each, and the same password was used when the filesystem was created.

    By far the most cost effective attack would be to bug your computer or keyboard. That attack would cost less then tring to break AES, and work equally well with loop-aes or encfs.
    • not so easy
      2005-06-12 06:54:24  hyperborean [View]

      I'm a bit confused about AES.

      If a byte like an "a" or "4" occurs in the same location in the state, would not it be encrypted in the same form?

      For example, if an "a" occurs in the top left hand corner of the 4 X 4 byte state, it seems to me that it would be enciphered the same everytime it happened to repeat in the same location.

      Therefore, if you have plenty of known headers or other plaintext you might be able to compile an inventory of at least all alphanumeric characters in each location of the state.

      Then it would be simply a matter of counting the bytes.

      I am not saying it would reveal the key, but could you crack the rest of the message this way.

      Am I missing something here?