qcow: document another weakness of qcow AES encryption

Document that use of guest virtual sector numbers as the basis for the initialization vectors is a potential weakness, when combined with internal snapshots or multiple images using the same passphrase. This fixes the formatting of the itemized list too. Reviewed-by: N Max Reitz <mreitz@redhat.com> Reviewed-by: N Alberto Garcia <berto@igalia.com> Signed-off-by: N Daniel P. Berrange <berrange@redhat.com> Message-id: 20170623162419.26068-4-berrange@redhat.com Signed-off-by: N Max Reitz <mreitz@redhat.com>

qcow: document another weakness of qcow AES encryption
Document that use of guest virtual sector numbers as the basis for the initialization vectors is a potential weakness, when combined with internal snapshots or multiple images using the same passphrase. This fixes the formatting of the itemized list too. Reviewed-by: N Max Reitz <mreitz@redhat.com> Reviewed-by: N Alberto Garcia <berto@igalia.com> Signed-off-by: N Daniel P. Berrange <berrange@redhat.com> Message-id: 20170623162419.26068-4-berrange@redhat.com Signed-off-by: N Max Reitz <mreitz@redhat.com>
0b4ee909 · Daniel P. Berrange · Max Reitz · 4a47f854 · 0b4ee909
隐藏空白更改
内联并排

Showing with 16 addition and 3 deletion

qemu-img.texi qemu-img.texi +16 -3

未找到文件。
--- a/qemu-img.texi
+++ b/qemu-img.texi
@@ -567,16 +567,29 @@ The use of encryption in qcow and qcow2 images is considered to be flawed by
 modern cryptography standards, suffering from a number of design problems:

 @itemize @minus
-@item The AES-CBC cipher is used with predictable initialization vectors based
+@item
+The AES-CBC cipher is used with predictable initialization vectors based
 on the sector number. This makes it vulnerable to chosen plaintext attacks
 which can reveal the existence of encrypted data.
-@item The user passphrase is directly used as the encryption key. A poorly
+@item
+The user passphrase is directly used as the encryption key. A poorly
 chosen or short passphrase will compromise the security of the encryption.
-@item In the event of the passphrase being compromised there is no way to
+@item
+In the event of the passphrase being compromised there is no way to
 change the passphrase to protect data in any qcow images. The files must
 be cloned, using a different encryption passphrase in the new file. The
 original file must then be securely erased using a program like shred,
 though even this is ineffective with many modern storage technologies.
+@item
+Initialization vectors used to encrypt sectors are based on the
+guest virtual sector number, instead of the host physical sector. When
+a disk image has multiple internal snapshots this means that data in
+multiple physical sectors is encrypted with the same initialization
+vector. With the CBC mode, this opens the possibility of watermarking
+attacks if the attack can collect multiple sectors encrypted with the
+same IV and some predictable data. Having multiple qcow2 images with
+the same passphrase also exposes this weakness since the passphrase
+is directly used as the key.
 @end itemize

 Use of qcow / qcow2 encryption is thus strongly discouraged. Users are