IT Jobs
Encrypted image backups open to new attack
German techie discovers nasty flaw.
By John Dunn | Techworld
Published: 15:51 GMT, 03 October 08
Bitmaps stored inside encrypted backup files could be vulnerable to a sophisticated ‘comparison' attack, a German security researcher has discovered.
In a new paper, Bernd Roellgen of Munich-based encryption outfit PMC Ciphers, explains how it is possible to compare an encrypted backup image file made with almost any commercial encryption program or algorithm to an original that has subsequently changed so that small but telling quantities of data 'leaks'.
The problem is that bitmaps often display low levels of entropy, such as would be the case in pictures taken at night with large areas of high contrast. Roellgen's attack is based on comparing two volumes encrypted into scrambled ciphertext using the same symmetric or 'static' key, where the original subsequently has new files added. This yields a pattern of structured similarities and differences that can be used to reveal some of the original information in plaintext form.
The attack doesn't work for other types of data, for instance text files, because the entropy levels are too high. But it is believed to effect almost any encryption program currently on sale as long as the two volumes being compared use the same encryption key whilst being slightly different from one another.
The vulnerability will interest anyone storing image data in backup files, because it raises a small but theoretically significant level of doubt about their security under everyday circumstances. The technique could also have interesting implications for police investigations where officials suspect 'invisible' data to be encrypted inside already encrypted volumes.
At the moment, police expend considerable effort trying to crack encrypted volumes. The problem is that a sophisticated criminal can hide an independently encrypted volume inside this master volume, and simply deny its existence, knowing that it cannot be detected.
But if the police have access to two backup volumes created with a single key, one of which has changed over time, Roellgen's technique can be used to compute that such a volume must exist within the primary volume. Although police cannot decipher the data, they can at least know that it is being hidden.
"Generally all disk encryption programs that are available on the market seem to contain this security hole," comments Roellgen in his paper. "The attack has been proven for a number of popular and commercially available OTFE (on-the-fly encryption) software packages," he says.
The defence against the attack is simply to make sure that each encrypted backup file uses an independent key, something Roellgen had made mandatory in his own company's encryption utility, TurboCrypt.
The attack's success can be seen in a website demonstration where it is used to reveal the outline of a single image file hacked open using the technique.
Last month, PMC Ciphers demonstrated TurboCrypt's defence against another great weakness of encryption software, Trojan keyloggers, which can be used to record the encryption key as it is being entered.
Add your commentComments
Mark Stamp | Published: 23:42 GMT, 30 October 2008
If you want to read more about this "new" attack, see Section 3.3.7 (and, in particular, the images in Figure 3.3) of my textbook, Information Security: Principles and Practice (published in 2006). This attack has been widely known since the beginning of time (well, almost).
Publius | Published: 01:52 GMT, 17 October 2008
EXTRA, EXTRA, read all about it! "In a new paper" released to the press on an OLD, already known subject Munich-based encryption outfit PMC Ciphers tries to land some business during tough economic times.
Esurnir | Published: 04:14 GMT, 11 October 2008
L00pHnt: He's absolutely right, when using the same key with the same plaintext you get the same ciphertext... Well save that no one with their right mind would make a block cipher work that way, it's been known since day one and when transmitting any data, including a bitmap over the internet you use either a stream cipher which by design is not suceptible to this attack (the key is never reused) or a block cipher in a mode of operation, typicaly Chain block cipher mode, where the ciphertext of the previous block is xored with the plaintext that must be encrypted, making sure that the plaintext even with the bitmap, even with a document full of a will never ever be the same.
Bletchley Parker | Published: 01:27 GMT, 11 October 2008
I did not see anything about cascading ciphers, ie; AES+Serpent; Twofish+AES,AES+Serpent+Twofish, etc. These supposedly have an independent key for each cipher used,and I always use a cascade when I build a crypto drive.Any comments ???
Adrian | Published: 16:48 GMT, 09 October 2008
Guys, stop wasting your time on this PR nonsense. Author just noticed that ECB mode does not chain blocks, and therefore reveals patterns, which is explained in every introductory book about cryptography.
Lloyd | Published: 13:11 GMT, 09 October 2008
Ummm... hasn't this been well-known for a very, very long time? Using ECB mode block ciphers on two identical plaintexts will always create two identical ciphertexts. In fact, this information is freely available on Wikipedia: http://en.wikipedia.org/wiki/Electronic_codebook#Electronic_codebook_(ECB)
Mr. Write | Published: 20:13 GMT, 07 October 2008
So... the police are supposed to obtain two separate copies of an encrypted volume one of which has changed over a period of time. I fail to see this as any real threat. The common case is that the police will obtain a suspicious volume and therefore the suspect will no longer have access to the volume. We're talking police here not NSA. The fact is: if a government authority obtains my hard drive they will never be able to prove that my secret volumes exist.
skeptikal | Published: 21:11 GMT, 06 October 2008
While this is somewhat correct, it is not new, or news.
Detlev | Published: 17:59 GMT, 06 October 2008
It is not the cipher but the mode of operation that deals with this issue. The original paper (http://www.turbocrypt.com/vpics/9a8f098c615a425eab6d17c804dd67ae/whitepapers/backup_attack.pdf) makes up a problem that does not exist: NO reasonable software uses ECB, esp. not truecrypt which is free opposed to the promoted pruduct. Read Bruce Schneier on the later here: http://www.schneier.com/crypto-gram-0303.html#4
Daisy | Published: 16:30 GMT, 06 October 2008
The logic behind this seems to be correct. Really interesting news.