2

A recent discussion on another website prompted a proclamation that storing (TrueCrypt, LUKS, DMG, etc) on cloud sync services like Dropbox is unsafe, since a version history is kept of each file, and that the change in the encrypted volume as files are added/remove/changed can be used to leak private information.

Some cursory googling didn't turn anything up regarding this supposed threat.

My question is, does storing these files on versioning cloud services represent any kind of real security risk, and if so, are there any safer alternatives to pass encrypted files around?

Mikey T.K.
  • 175
  • 7

2 Answers2

6

Take a look at Ferguson's criticism and the official response at the bottom of page 2 and top of page 3 here: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/follow-up_XTS_comments-Ball.pdf

XTS sector/block mode (used on Truecrypt, Drivecrypt, etc) has a temporal quality that can certainly leak information. Ferguson says an adversary who observes 4000 writes to an encrypted 4K sector will have obtained access to well over a million (2^20) ciphertext blocks encrypted with the same tweak and key.

I'll add that since most crypto volumes of windows users these days will be formatted NTFS or FAT32, the attacker has a pretty good idea where to look for frequently changing file system structure data that (a) has a defined range of possible known plaintexts; and (b) a predictable location given the size of the volume file.

Putting encrypted volumes in the cloud does all the "work" that the IEEE response said would make the attack on a volume infeasible. The security model was never meant to be solid when you make the entire internet into a potential evil maid who can monitor the changes on the encrypted volume. Even less so if the cloud service is doing the versioning that does even one more step for the attacker (i.e., collect and aggregate just the changed sectors).

boggart
  • 516
  • 3
  • 5
-1

As far as crypto is concerned Kerhoff's rule said that key should be a secret, not an algorythm. So if crypto implementation is fine, you need to worry about. About versioning. Attacking truecrypt volumes based on some changes, that an attacker does not know means ciphertext attack. If I'm not mistaken, all ciphershould pass this text successfully.

Denis Isakov
  • 1
  • 1
  • You are mistaken. A block cipher like AES is safe from such attack, but in order to encrypt more than one block, AES must be run in a mode of operation. The mode used by TrueCrypt, VeraCrypt, and other related disk-encryption utilities is typically XTS, which is vulnerable if an attacker sees multiple revisions of a given volume. – forest Jul 11 '18 at 03:10