Encrypted image backups open to new attack

German techie discovers nasty flaw.

Bitmaps stored inside encrypted backup files could be vulnerable to a sophisticated ‘comparison' attack, a German security researcher has discovered.

In a new paper, Bernd Roellgen of Munich-based encryption outfit PMC Ciphers, explains how it is possible to compare an encrypted backup image file made with almost any commercial encryption program or algorithm to an original that has subsequently changed so that small but telling quantities of data 'leaks'.

The problem is that bitmaps often display low levels of entropy, such as would be the case in pictures taken at night with large areas of high contrast. Roellgen's attack is based on comparing two volumes encrypted into scrambled ciphertext using the same symmetric or 'static' key, where the original subsequently has new files added. This yields a pattern of structured similarities and differences that can be used to reveal some of the original information in plaintext form.

The attack doesn't work for other types of data, for instance text files, because the entropy levels are too high. But it is believed to effect almost any encryption program currently on sale as long as the two volumes being compared use the same encryption key whilst being slightly different from one another.

The vulnerability will interest anyone storing image data in backup files, because it raises a small but theoretically significant level of doubt about their security under everyday circumstances. The technique could also have interesting implications for police investigations where officials suspect 'invisible' data to be encrypted inside already encrypted volumes.

At the moment, police expend considerable effort trying to crack encrypted volumes. The problem is that a sophisticated criminal can hide an independently encrypted volume inside this master volume, and simply deny its existence, knowing that it cannot be detected.

But if the police have access to two backup volumes created with a single key, one of which has changed over time, Roellgen's technique can be used to compute that such a volume must exist within the primary volume. Although police cannot decipher the data, they can at least know that it is being hidden.

"Generally all disk encryption programs that are available on the market seem to contain this security hole," comments Roellgen in his paper. "The attack has been proven for a number of popular and commercially available OTFE (on-the-fly encryption) software packages," he says.

The defence against the attack is simply to make sure that each encrypted backup file uses an independent key, something Roellgen had made mandatory in his own company's encryption utility, TurboCrypt.

The attack's success can be seen in a website demonstration where it is used to reveal the outline of a single image file hacked open using the technique.

Last month, PMC Ciphers demonstrated TurboCrypt's defence against another great weakness of encryption software, Trojan keyloggers, which can be used to record the encryption key as it is being entered.


What are your views on this subject? Use the form below to post a comment on this article up to 500 characters.


Characters remaining: 500

Add your commentComments

Mark Stamp | Published: 23:42 GMT, 30 October 2008

If you want to read more about this "new" attack, see Section 3.3.7 (and, in particular, the images in Figure 3.3) of my textbook, Information Security: Principles and Practice (published in 2006). This attack has been widely known since the beginning of time (well, almost).

Publius | Published: 01:52 GMT, 17 October 2008

EXTRA, EXTRA, read all about it! "In a new paper" released to the press on an OLD, already known subject Munich-based encryption outfit PMC Ciphers tries to land some business during tough economic times.

Esurnir | Published: 04:14 GMT, 11 October 2008

L00pHnt: He's absolutely right, when using the same key with the same plaintext you get the same ciphertext... Well save that no one with their right mind would make a block cipher work that way, it's been known since day one and when transmitting any data, including a bitmap over the internet you use either a stream cipher which by design is not suceptible to this attack (the key is never reused) or a block cipher in a mode of operation, typicaly Chain block cipher mode, where the ciphertext of the previous block is xored with the plaintext that must be encrypted, making sure that the plaintext even with the bitmap, even with a document full of a will never ever be the same.

Bletchley Parker | Published: 01:27 GMT, 11 October 2008

I did not see anything about cascading ciphers, ie; AES+Serpent; Twofish+AES,AES+Serpent+Twofish, etc. These supposedly have an independent key for each cipher used,and I always use a cascade when I build a crypto drive.Any comments ???

Adrian | Published: 16:48 GMT, 09 October 2008

Guys, stop wasting your time on this PR nonsense. Author just noticed that ECB mode does not chain blocks, and therefore reveals patterns, which is explained in every introductory book about cryptography.

Lloyd | Published: 13:11 GMT, 09 October 2008

Ummm... hasn't this been well-known for a very, very long time? Using ECB mode block ciphers on two identical plaintexts will always create two identical ciphertexts. In fact, this information is freely available on Wikipedia: http://en.wikipedia.org/wiki/Electronic_codebook#Electronic_codebook_(ECB)

Mr. Write | Published: 20:13 GMT, 07 October 2008

So... the police are supposed to obtain two separate copies of an encrypted volume one of which has changed over a period of time. I fail to see this as any real threat. The common case is that the police will obtain a suspicious volume and therefore the suspect will no longer have access to the volume. We're talking police here not NSA. The fact is: if a government authority obtains my hard drive they will never be able to prove that my secret volumes exist.

skeptikal | Published: 21:11 GMT, 06 October 2008

While this is somewhat correct, it is not new, or news.

Detlev | Published: 17:59 GMT, 06 October 2008

It is not the cipher but the mode of operation that deals with this issue. The original paper (http://www.turbocrypt.com/vpics/9a8f098c615a425eab6d17c804dd67ae/whitepapers/backup_attack.pdf) makes up a problem that does not exist: NO reasonable software uses ECB, esp. not truecrypt which is free opposed to the promoted pruduct. Read Bruce Schneier on the later here: http://www.schneier.com/crypto-gram-0303.html#4

Daisy | Published: 16:30 GMT, 06 October 2008

The logic behind this seems to be correct. Really interesting news.

Related Security news

Antivirus programs fail to stop new malware

One in three systems infected.

Adobe sorry for 16-month-old Flash bug

Unpatched vulnerability 'slipped through the cracks'

HTML 5 leaves client storage open to web attacks

Security researcher says web apps could be vulnerable

Rugged Manifesto calls on developers for secure code

Security professionals call for better programming practices



Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Challenges and opportunities of PCI

The Payment Card Industry Data Security Standard provides an enterprise structure for improving operational, security, and audit performance. The benefits of the PCI DSS go beyond audit costs and results.

Download Whitepaper

Database security: Preventing enterprise data leaks at the source

IDC discusses the growing internal threats to business information, the impact of government regulations on the protection of data, and how enterprises must adopt database security best practices...

Download Whitepaper

Six essential steps to successful IT centralisation

This report, based on the real experience of a recent centralisation project, is aimed at those involved in IT strategy within their organisation. It provides some practical insights for CIOs, CTOs, Heads of IT, IT Directors and those involved more closely with the service management function.

Download Whitepaper

Application Grid: The ideal platform for IT consolidation

Evaluating the opportunity for consolidation of middleware — Java application servers and related technologies.

Download Whitepaper

Techworld UK - Technology - Business

COLT White Paper

Are all VoIP services the same?

Questions to ask your service provider to ensure you get the VoIP service you need
With careful choice of partner, your business can have all the advantages of VoIP access - reduced costs, flexibility and simplicity - without the drawbacks.
This white paper is your guide to ensure you get right the VoIP service and details the pitfalls which businesses would do well to avoid.

Download white paper
COLT White Paper

IT Misuse Survey

Complete this survey and you could win a Nexus One

Techworld are running a short survey to discover how UK businesses are managing Internet and email misuse in the Enterprise.

Complete Survey

Webcast: IT Financial Management: Cost Optimisation for Efficiency and Agility.
On Demand Webcast
Join this webcast to learn about the techniques and technologies that can help you prove the value of IT to the business by understanding the true cost of today's IT services and those that will be necessary to deliver future success.

Register Today

Site Map

IDG Network

* *