mirror of
https://github.com/qemu/qemu.git
synced 2024-11-23 19:03:38 +08:00
qcow: document another weakness of qcow AES encryption
Document that use of guest virtual sector numbers as the basis for the initialization vectors is a potential weakness, when combined with internal snapshots or multiple images using the same passphrase. This fixes the formatting of the itemized list too. Reviewed-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-id: 20170623162419.26068-4-berrange@redhat.com Signed-off-by: Max Reitz <mreitz@redhat.com>
This commit is contained in:
parent
4a47f85431
commit
0b4ee9090e
@ -567,16 +567,29 @@ The use of encryption in qcow and qcow2 images is considered to be flawed by
|
||||
modern cryptography standards, suffering from a number of design problems:
|
||||
|
||||
@itemize @minus
|
||||
@item The AES-CBC cipher is used with predictable initialization vectors based
|
||||
@item
|
||||
The AES-CBC cipher is used with predictable initialization vectors based
|
||||
on the sector number. This makes it vulnerable to chosen plaintext attacks
|
||||
which can reveal the existence of encrypted data.
|
||||
@item The user passphrase is directly used as the encryption key. A poorly
|
||||
@item
|
||||
The user passphrase is directly used as the encryption key. A poorly
|
||||
chosen or short passphrase will compromise the security of the encryption.
|
||||
@item In the event of the passphrase being compromised there is no way to
|
||||
@item
|
||||
In the event of the passphrase being compromised there is no way to
|
||||
change the passphrase to protect data in any qcow images. The files must
|
||||
be cloned, using a different encryption passphrase in the new file. The
|
||||
original file must then be securely erased using a program like shred,
|
||||
though even this is ineffective with many modern storage technologies.
|
||||
@item
|
||||
Initialization vectors used to encrypt sectors are based on the
|
||||
guest virtual sector number, instead of the host physical sector. When
|
||||
a disk image has multiple internal snapshots this means that data in
|
||||
multiple physical sectors is encrypted with the same initialization
|
||||
vector. With the CBC mode, this opens the possibility of watermarking
|
||||
attacks if the attack can collect multiple sectors encrypted with the
|
||||
same IV and some predictable data. Having multiple qcow2 images with
|
||||
the same passphrase also exposes this weakness since the passphrase
|
||||
is directly used as the key.
|
||||
@end itemize
|
||||
|
||||
Use of qcow / qcow2 encryption is thus strongly discouraged. Users are
|
||||
|
Loading…
Reference in New Issue
Block a user