Encrypted Watermarks and Linux Laptop Security

  • Markku-Juhani O. Saarinen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3325)


The most common way to implement full-disk encryption (as opposed to encrypted file systems) in the GNU/Linux operating system is using the encrypted loop device, known as CryptoLoop. We demonstrate clear weaknesses in the current CBC-based implementation of CryptoLoop, perhaps the most surprising being a very simple attack which allows specially watermarked files to be identified on an encrypted hard disk without knowledge of the secret encryption key.

We take a look into the practical problems of securely booting, authenticating, and keying full-disk encryption. We propose simple improvements to the current CryptoLoop implementation based on the notions of tweakable encryption algorithms and enciphering modes. We also discuss sector-level authentication codes.

The new methods have been implemented as a set of patches to the Linux Kernel series 2.6 and the relevant system tools.


Hard Disk Block Cipher Advance Encryption Standard Fast Software Encryption Pseudorandom Permutation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Specification for the Advanced Encryption Standard (AES). Federal Information Processing Standards Publication 197 (2001)Google Scholar
  2. 2.
    Anderson, R., Biham, E.: Two Practical and Provably Secure Block Ciphers: BEAR and LION. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 113–120. Springer, Heidelberg (1996)Google Scholar
  3. 3.
    Arbaugh, W.A., Farber, D.J., Smith, J.M.: A Secure and Reliable Bootstrap Architecture. In: Proc. 1997 IEEE Symposium on Security and Privacy, pp. 65–72. ACM Press, New York (1997)Google Scholar
  4. 4.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying Hash Functions for Message Authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  5. 5.
    Blaze, M.: A Cryptographic File System for Unix. In: Proc. First ACM Conference on Computer and Communications Security, Fairfax, VA (1993)Google Scholar
  6. 6.
    Card, R., Ts’o, T., Tweedie, S.: Design and implementation of the Second Extended Filesystem. In: Brokken, F.B., et al. (eds.) Proc. of the First Dutch International Symposium on Linux, Amsterdam (December 1994)Google Scholar
  7. 7.
    Cattaneo, G., Catuogno, L., Del Sorbo, A., Persiano, P.: The Design and Implementation of a Transparent Cryptographic File System for UNIX. In: USENIX Annual Technical Conference 2001, Freenix Track (2001)Google Scholar
  8. 8.
    Crowley, P.: Mercy: A Fast Large Block Cipher for Disk Sector Encryption. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 49–63. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Department of Defense. Industrial Security Manual for Safeguarding Classified Information, Department of Defense Manual, DoD 5220.22-M (June 1987)Google Scholar
  10. 10.
    Etienne, J.: Vulnerability in encrypted loop device for Linux (2002), Manuscript available from
  11. 11.
    Fluhrer, S.R.: Cryptanalysis of theMercy Block Cipher. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 28–36. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Gutmann, P.C.: SFS Version Documentation,
  13. 13.
    Halevi, S., Rogaway, P.: A Tweakable Enciphering Mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Halevi, S., Rogaway, P.: A Parallelizable Enciphering Mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Itoi, N., Arbaugh, W.A., Pollack, S.J., Reeves, D.M.: Personal Secure Booting. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, pp. 130–144. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Jetico Inc. BestCrypt for Linux v.1.5.1 with Linux 2.6 support (2004), available from
  17. 17.
    Kaliski, B.S., Robshaw, M.J.B.: Fast Block Cipher Proposal. In: Anderson, R. (ed.) FSE 1993. LNCS, vol. 809, pp. 33–40. Springer, Heidelberg (1994)Google Scholar
  18. 18.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable Block Ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  19. 19.
    Luby, M., Rackoff, C.: How to construct Pseudorandom Permutations from Pseudorandom Functions. SIAM J. of Computation 17(2) (April 1988)Google Scholar
  20. 20.
    Rivest, R.L.: All-Or-Nothing Encryption and The Package Transform. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 210–218. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  21. 21.
    Saarinen, M.-J.O.: Cryptanalysis of block ciphers based on SHA-1 and MD5. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 36–44. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  22. 22.
    Saarinen, M.-J.O.: Herring: A Tweakable Block Cipher for Sector level Encryption. Manuscript (2004) (to be submitted for publication) Google Scholar
  23. 23.
    Ruusu, J.: Loop-AES Source and Documentation,

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Markku-Juhani O. Saarinen
    • 1
  1. 1.Laboratory for Theoretical Computer ScienceHelsinki University of TechnologyFinland

Personalised recommendations