Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 335938 - <sys-fs/encfs-1.7.1: Watermarking attack
Summary: <sys-fs/encfs-1.7.1: Watermarking attack
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2010-09-04 11:45 UTC by Samuli Suominen (RETIRED)
Modified: 2011-01-03 20:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Samuli Suominen (RETIRED) gentoo-dev 2010-09-04 11:45:52 UTC

Watermarking is an attack which does not give any secrets to the attacker but
allows him to prove that the user of the encrypted file system has a certain
file stored on his drive. The file has previously been specially prepared by the

Following [1], data encrypted with the CBC cipher mode is vulnerable to
watermarking attacks under some circumstances. Consider a file which is divided
into file blocks B1 , ..., Bk of blocksize which are individually encrypted
using CBC and AES (whereas each file block consists of blocksize/16 cipher
blocks) (as in EncFS). The attack succeeds if the attacker is able to
calculate the XOR of the initialization vectors (IV) for some Bi and Bj , i !=
j. If so, the attacker prepares the first plain text blocks of block i and j
  Pi1 XOR Pj1 = IV(i) XOR IV(j)
and therefor
  Pi1 XOR IV(i) = Pj1 XOR IV(j)
This causes that
 Ci1 = Enc(Pi1 XOR IV(i)) = Enc(Pj1 XOR IV(j)) = Cj1
i.e. the first cipher block of file blocks i and j are identical. Therefore, the
attacker can test the cipher blocks Ci1 and Cj1 and conclude with high
probability whether this is his prepared file or not.

We analyzed the distribution of IV(i) XOR IV(j) for a randomly chosen blocks
and a random so-called fileIV which is used to make the IVs different from file
to file. This showed that IV(i) XOR IV(j) is not at all uniformly distributed.
There is a certain value for IV(i) XOR IV(j) which is highly more probable
that expected for a uniform distribution (2*10^-4).

We then watermarked a file such that the even file blocks start with the found
value and the odd file blocks with all zero. So, the encrypted file is
successfully recognized by testing whether there are two consecutive file
blocks that start with the same cipher block. Using a file with 50000 blocks we
achieved a probability of > 99.9% of recognizing the watermarked file. 

Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2010-09-04 11:46:54 UTC
EncFS 1.7.1 -- August 30, 2010

Change Log

* add new IV initialization mode to foil watermark attack - see this 2010-08 analysis.  The old IV setup is kept for backwards compatibility.
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2010-09-04 13:52:01 UTC

Test & stabilize =sys-fs/encfs-1.7.1
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-09-05 15:47:14 UTC
x86 stable
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2010-09-06 22:29:20 UTC
amd64 done
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-01-01 22:59:44 UTC
GLSA Vote: no.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2011-01-03 20:51:05 UTC
GLSA Vote: no -> Closing. Feel free to reopen if you disagree.