mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

qcow: document another weakness of qcow AES encryption

Browse Source 
Document that use of guest virtual sector numbers as the basis for
the initialization vectors is a potential weakness, when combined
with internal snapshots or multiple images using the same passphrase.
This fixes the formatting of the itemized list too.

Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 20170623162419.26068-4-berrange@redhat.com
Signed-off-by: Max Reitz <mreitz@redhat.com>
This commit is contained in:
Daniel P. Berrange 2017-06-23 17:24:02 +01:00 committed by Max Reitz
parent 4a47f85431
commit 0b4ee9090e
1 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
qemu-img.texi
View File

@ -567,16 +567,29 @@ The use of encryption in qcow and qcow2 images is considered to be flawed by
modern cryptography standards, suffering from a number of design problems: modern cryptography standards, suffering from a number of design problems:
@itemize @minus @itemize @minus
@item The AES-CBC cipher is used with predictable initialization vectors based @item
The AES-CBC cipher is used with predictable initialization vectors based
on the sector number. This makes it vulnerable to chosen plaintext attacks on the sector number. This makes it vulnerable to chosen plaintext attacks
which can reveal the existence of encrypted data. which can reveal the existence of encrypted data.
@item The user passphrase is directly used as the encryption key. A poorly @item
The user passphrase is directly used as the encryption key. A poorly
chosen or short passphrase will compromise the security of the encryption. chosen or short passphrase will compromise the security of the encryption.
@item In the event of the passphrase being compromised there is no way to @item
In the event of the passphrase being compromised there is no way to
change the passphrase to protect data in any qcow images. The files must change the passphrase to protect data in any qcow images. The files must
be cloned, using a different encryption passphrase in the new file. The be cloned, using a different encryption passphrase in the new file. The
original file must then be securely erased using a program like shred, original file must then be securely erased using a program like shred,
though even this is ineffective with many modern storage technologies. though even this is ineffective with many modern storage technologies.
@item
Initialization vectors used to encrypt sectors are based on the
guest virtual sector number, instead of the host physical sector. When
a disk image has multiple internal snapshots this means that data in
multiple physical sectors is encrypted with the same initialization
vector. With the CBC mode, this opens the possibility of watermarking
attacks if the attack can collect multiple sectors encrypted with the
same IV and some predictable data. Having multiple qcow2 images with
the same passphrase also exposes this weakness since the passphrase
is directly used as the key.
@end itemize @end itemize
Use of qcow / qcow2 encryption is thus strongly discouraged. Users are Use of qcow / qcow2 encryption is thus strongly discouraged. Users are