Encrypted Images Vulnerable To New Attack

rifles only writes "A German techie has found a remarkably simple way to discern some of the content of encrypted volumes containing images. The encrypted images don't reveal themselves totally, but in many cases do let an attacker see the outline of a high-contrast image. The attack works regardless of the encryption algorithm used (the widely-used AES for instance), and affects all utilities that use single symmetric keys. More significant to police around the world struggling with criminal and terrorist use of encryption, the attack also breaks the ability of users to 'hide' separate encrypted volumes inside already encrypted volumes, whose existence can now for the first time be revealed." The discoverer of this attack works for a company making full-disk encryption software; their product, TurboCrypt, has already been enhanced to defeat the attack. Other on-the-fly encryption products will probably be similarly enhanced, as the discoverer asserts: "To our knowledge is the described method free of patents and the author can confirm that he hasn't applied for protection."

aw4jthpa

naivjdae4ovhnrBuAbrf!AbjLbhPnaFrrZlPbzzrag!;wfqudnwrenfyihltred

Re:aw4jthpa

[martinw89]

Oh god, thanks for the outline of Goatse.

Jerk.

Re:aw4jthpa

[mrsteveman1]

You didn't look close enough, there was a hidden volume inside!

Re:aw4jthpa

[JCSoRocks]

I thought only the TSA searched for volumes hidden there.

Confusing

[Rui+del-Negro]

Is it just me or does anyone else get the feeling that the original story confuses two completely different concepts (digital photos and drive images)?

Re:Confusing

[mikesd81]

In fact I had to read the fine article (I know, unheard of) to figure it out. Maybe that's the new thing to get us to RTFA. Use even more confusing summaries?

Re:Confusing

[mikesd81]

In fact I had to read the fine article (I know, unheard of) to figure it out. Maybe that's the new thing to get us to RTFA. Use even more confusing summaries?

So..I stated I read the article...what's your point?

Re:Confusing

Can you tell us what you figured out so we can RYFC instead of TFA?

Re:Confusing

[DrVomact]

As far as I can tell, the article asserts that the "hack" can reveal two types of information about encrypted volumes:

1. It can make some "low entropy" images (images in the sense of "pictures") visible. I'm not sure what they mean by "low entropy", but I infer that by "pictures taken at night with large areas of high contrast", the writer meant high-contrast images low on detail, but not images that are all black, which, I suppose, would have the lowest "entropy" of all.
2. The fact that a hidden encrypted disk image exists inside an outer "shell" disk image that is also encrypted can be revealed. The article does not say that the contents of the hidden disk image are revealed—only the fact of its existence.

The technique in question appears to require comparing two copies of the same encrypted disk image, where changes have been made to the newer disk image.

I think. Sometimes, IAWOTTRTFA (it's a waste of time to read the fricking article).

Watermark?

[Lord+Byron+II]

How is this different from the well-known watermarking attack? Doesn't the fact that most encryption systems now use the block number as a salt render this attack useless?

Re:Watermark?

[profplump]

Or CBC mode? Or any of a dozen other ways to prevent this well-known attack on ECB mode encryption? http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation

Yes. And apparently TurboCrypt now supports such things too, hence the press release.

Re:Watermark?

[mikenap]

The cause is similar to the watermarking attack, but the idea is used backwards. The watermarking attack reveals the presence of maliciously constructed decoy plaintext encrypted by the user, whereas this attack reveals information about the change in an unknown plaintext.

In both attacks the issue is that the salt, as you call it, is constant for a given disk block. If that salt can be predicted, a decoy plaintext can be revealed in the ciphertext. If data is changed while using the same salt, sections of identical plaintext before and after the change can be identified.

Re:Watermark?

[Goaway]

How would you use CBC on a disk image that requires fast random access?

Here's what you should have been reading on Wikipedia: http://en.wikipedia.org/wiki/Disk_encryption_theory

Re:Watermark?

[mikenap]

The problem is many CBC and other disk-encryption modes used an IV based on the disk sector number. So when that sector changes, the changes continue to be encrypted with the same IV and key.

Re:Watermark?

[mikenap]

By breaking the disk up into sectors, each of which start a new chain. The problem is an IV is used to "start" the CBC chain, and this IV is static as the underlying plaintext changes. So new changes on the same point of the HD get encrypted with the same IV.

Re:Watermark?

[phantomcircuit]

By using a counter, it provides random access, stops this class of attacks, and is easy to implement.

wiki

Re:Watermark?

[Goaway]

...and isn't CBC.

Re:Watermark?

[Goaway]

There are better methods. Some are mentioned in the article I linked!

Re:Watermark?

[profplump]

Apparently you missed the part about "or any of a dozen other ways", or the grandparent's comment "use the block number as a salt"?

Also, it's not impossible to use CBC in random-access mode, it's just inefficient -- but if you read the preceding block you have all the necessary data. You'd have a lot of re-writing to do when you made changes, but it could certainly be done without any algorithm tweak or special treatment.

And if *you* bothered to read the page you linked to, you'd see that people actually *do* use CBC methods:
http://en.wikipedia.org/wiki/Disk_encryption_theory#CBC-based_approaches

Re:Watermark?

[Ronin+Developer]

Exactly. Use of ECB mode is pointless. All ECB mode does is change one block value to another since they are encrypted the exact same way. Thus, two similar blocks will have exactly the same output.

  If you're using AES and you supposedly know what you're doing, you use CBC or CFC or another chaining mode. These feed the results of the previous encryption operation rendering the type of attack discussed in the article moot.

I can't believe they gave them any press time on this. Argh!

Re:Watermark?

[kasperd]

By using a counter, it provides random access, stops this class of attacks, and is easy to implement.

Counter mode is one of the least secure ways to encrypt a disk. Counter mode generates a pseudo random one time pad, which in itself is secure if the pseudo random number generator is secure. However when used for disk encryption, the one time pad is reused whenever you overwrite a sector. Reusing a one time pad is not secure.

Re:Watermark?

[kasperd]

The problem is an IV is used to "start" the CBC chain, and this IV is static as the underlying plaintext changes. So new changes on the same point of the HD get encrypted with the same IV.

It actually makes me happy to see that some people are starting to get the point. I have been pointing out these weaknesses for years.

Some of them are actually even worse. If the IV is just the sector number, then the difference between two neighbor sectors is known, and you can construct a file that will cancel out that difference and the two sectors get the same cipher text. I constructed a file some years ago, that demonstrated the problem. At that time Truecrypt was vulnerable to this attack. Truecrypt did apply some whitening after the encryption, but that didn't really make the pattern much worse. Put the file I mentioned on a Truecrypt volume encrypted in CBC mode, and somewhere in the encrypted image there will be two neighbor sectors that can be XORed together and will cancel out all the data leaving only the whitening pattern, which is easily recognizable because it repeats over many times through the sector.

Encrypting the IV is better, but still vulnerable to the problem you describe. In fact the problem you describe applies one way or another to almost every single disk encryption in existence. All the encryptions need some nonce or randomness, and since it doesn't fit in the sector, they cut a corner and use the sector number, which doesn't change when the sector is overwritten. (I have seen one that used extra space by mapping 32 logical sectors to 33 physical sectors, but that encryption had other problems including a weak pseudo random number generator, and potential data loss caused by the need to update two sectors which isn't done atomically).

Recent Truecrypt versions are no longer vulnerable to the attack I described above. They now use tweakable block ciphers. But just like CBC needs a unique IV for each time you encrypt, tweakable block ciphers need a unique tweak. Truecrypt use the sector number for tweak, so if a sector is overwritten, you have the same problem again. In fact it is even worse because there is no longer any chaining, just a tweak for each 16 byte block, which means changing a byte in a sector would keep changes in the cipher text within the 16 byte block. I didn't verify this in practice, I just read the specification. I mentioned this problem to the authors a long time ago, but they didn't consider it a problem.

Re:Watermark?

[hairyfeet]

I have a couple of questions,seeing as it seems you know more about this stuff than I do(I admit I haven't gotten very deep at all with crypto.Simply not enough hours in the day) and after reading TFA a couple of things are unclear to me.

One,quoting TFA " if the police have access to two backup volumes created with a single key, one of which has changed over time, Roellgen's technique can be used to compute that such a volume must exist within the primary volume. Although police cannot decipher the data, they can at least know that it is being hidden." Which sounds to me like they need a backup image of the encrypted volume that hasn't been kept up to date. Would you still be vulnerable to this attack if you didn't have a backup or just used RAID?

Two,it also mentions in TFA that this works because images have low entropy. Since nearly every Operating System out there can treat Zip files as folders would simply keeping all image files in a zipped folder be enough to screw this up?

And I apologize if these turn out to be stupid questions. But I'm just learning when it comes to encryption and it is hard to just jump in and get up to speed on such a complex subject. Oh and thanks for your time and I hope you had a great weekend!

Re:Watermark?

[narcberry]

It's not news. This is an advertisement.

Re:Watermark?

[DamnStupidElf]

Recent Truecrypt versions are no longer vulnerable to the attack I described above. They now use tweakable block ciphers. But just like CBC needs a unique IV for each time you encrypt, tweakable block ciphers need a unique tweak. Truecrypt use the sector number for tweak, so if a sector is overwritten, you have the same problem again. In fact it is even worse because there is no longer any chaining, just a tweak for each 16 byte block, which means changing a byte in a sector would keep changes in the cipher text within the 16 byte block. I didn't verify this in practice, I just read the specification. I mentioned this problem to the authors a long time ago, but they didn't consider it a problem.

LRW should fall to the bitmap attack presented in the article, so long as the bitmap is overwritten in place between ciphertexts. Any other weakness in LRW using the same key is minimized unless you are filling your disk with 127th degree polynomials in GF(2) represented as 128-bit vectors, that happen to differ from each other by n*k in GF(2) where n is the sector number they're stored in and k is the LRW tweak key. Most people don't do that. The probability of doing so with normal use is roughly the probability of accidentally guessing the tweak key.

The only real solution for the bitmap problem is modification of the file system to contain secure IVs for each block on the disk. Reusing IVs has *always* been shown to be a bad idea. It's broken more thought-to-be-secure schemes than I can count.

As an aside, once I actually found two files from a Slackware distribution that were detectable inside a truecrypt volume. One problem truecrypt had back then was that they were using 512 byte CBC blocks, while most file systems used larger blocks, so it was trivial to insert a file that would guarantee that the resulting ciphertext would be vulnerable to detection by starting at an even sector boundary and having just simple bit differences. I am guessing that in both cases the files being detected were executables with a large dynamic link section, since that would contain a whole lot of simple offsets that could match up with the sector IV vulnerability.

Re:Watermark?

[Fweeky]

I have seen one that used extra space by mapping 32 logical sectors to 33 physical sectors, but that encryption had other problems including a weak pseudo random number generator, and potential data loss caused by the need to update two sectors which isn't done atomically

That would be GBDE. Shouldn't it be relatively easy to replace the PRNG?

Re:Watermark?

[kasperd]

That would be GBDE.

Correct.

Shouldn't it be relatively easy to replace the PRNG?

Depends on whether you are worried about breaking compatibility. There is nothing you can do for existing encrypted volumes. If you want to improve security for your existing volumes, a complete reencryption of the volume is needed. If you want to protect new volumes while remaining compatible with the existing implementation, a small change to the way the master key is generated would help. There is a 256 byte lookup table, in which having two identical bytes is a weakness. The table is generated randomly, which means master keys vary in quality. The best master keys are those were all 256 bytes are different, but the chance of that happening at random is negligible. If the key was instead generated by taking an array containing all the values from 0 to 255 and permuting those randomly, you would always get keys that are resistant to the known attack.

If you don't need compatibility with the existing code, you can do even better. The PRNG makes use of MD5. Before anybody starts talking about MD5 being broken, keep in mind that the known attacks against MD5 do not apply to the way GBDE use it. The input that GBDE passes to MD5 is 24 bytes, which have 128 bits of entropy (with the best keys). Obviously the output will have no more than 128 bits of entropy, but it could have less. Though the input is just 24 bytes, MD5 is going to add a length field and pad the result to a multiple of 64 bytes. So you could actually double or triple the key size and pay no extra cost in performance on the MD5 operation.

Since three byte quantities are difficult to work with, I'd only suggest to change the lookup table from having 256 8-bit values to having 256 16-bit values. The risk of having two identical values if you pick them randomly, is reduced significantly. But still generating it in a way that guarantees it is still better. This would produce a 40 byte input to MD5. If you wanted to make use of the full MD5 block size, you could append another random key to the 40 bytes such that you would make the input as large as what would fit in a single MD5 block. Doing all of this would increase the key size from 272 bytes (16+256) to 584 bytes (56+16+512), and would not spend any additional time on the cryptographic operations in the critical paths.

You could also ditch the PRNG altogether and use a standard PRNG. But that would mean a significant performance hit, so you'd have to reduce the size of the master key. So I am not sure that would really make it any stronger than fixing the known vulnerabilities in the current PRNG.

As for the potential data loss goes, I suppose you could live with it and just make sure to have a good backup strategy. When doing that of course you have to keep in mind that you shouldn't make backups by copying the encrypted container. The correct way would be to copy the files from the encrypted container to a different encrypted container. Or you could copy the files to an encrypted archive that does not support random access, like tar + gpg. Or you could back up your container by creating an encrypted copy of the container. If you use asymmetric keys, you could create a gpg encrypted copy of the encrypted container even while it is not mounted.

Problem is that the only way to detect that corruption has happened is by trying to open the files with applications understanding the format, and see them barf. However fixing the potential corruption is tricky. If I find a good solution, I am probably going to write my own storage encryption layer some day.

Re:Watermark?

[kasperd]

The only real solution for the bitmap problem is modification of the file system to contain secure IVs for each block on the disk.

Since the encryption is done at the block device layer, it shouldn't be part of the file system but rather a part of the encryption layer. Except from that detail, I agree with you. However doing it is tricky. When you take a logical sector with 512 bytes of data and put it together with a small IV, it no longer fits in a 512 bytes sector. So you have to come up with a layout on disk that is efficient. And then you have the problem of updating it. Because you cannot write two sectors to disk atomically (with some disks you can't even write one). So you end up having the potential of data loss if an update does not complete because of a power failure. And the data loss is not guaranteed to affect only the logical sector you were writing at the time. I am still thinking about the problem. A raid layer have some similar problems, and I have been considering whether merging those two layers would help solving this problem. A can see a few other advantages you could get from merging a raid layer with an encryption layer.

Reusing IVs has *always* been shown to be a bad idea. It's broken more thought-to-be-secure schemes than I can count.

Indeed. And the damage depends on the kind of encryption used. CBC is actually dealing pretty well with reused IVs compared to other encryptions. RC4 and counter mode are two examples where reusing IVs is so bad that you might as well not be encrypting at all.

As an aside, once I actually found two files from a Slackware distribution that were detectable inside a truecrypt volume.

Interesting. Though the patterns are simple, I wouldn't have thought they would show up unless they were carefully constructed.

One problem truecrypt had back then was that they were using 512 byte CBC blocks, while most file systems used larger blocks, so it was trivial to insert a file that would guarantee that the resulting ciphertext would be vulnerable to detection by starting at an even sector boundary and having just simple bit differences.

That's the vulnerability I was referring to. And this is what is demonstrated by the file I linked to. It requires just one or two bits of difference between neighbor sectors depending on which parameters you used to set up the volume. My file contains just a lot of variants of that to cover different byte orderings so as to demonstrate the weakness not just in truecrypt, but also in some early Linux loopback encryptions.

The fact that a file system block consists of multiple disk sectors just makes the exploit slightly more reliable. Even if the sizes were the same, the file system would still try to put consecutive blocks from your file right next to each other on disk. (If it didn't do that, performance would go down by orders of magnitude).

Re:Watermark?

[Fweeky]

You could also ditch the PRNG altogether and use a standard PRNG. But that would mean a significant performance hit

How much random data does it need? An amount equal to what's being written? I guess that would be quite nasty; Yarrow can just about pump out 50MB/s given a couple of GHz of Opteron.

Problem is that the only way to detect that corruption has happened is by trying to open the files with applications understanding the format, and see them barf. However fixing the potential corruption is tricky. If I find a good solution, I am probably going to write my own storage encryption layer some day.

You could put ZFS on top of it, scrub would then pick it up. Backing the disk with multiple crypted volumes would get you redundancy. You could use block level journaling (gjournal) to help avoid partial writes, though with ZFS and ZIL that would probably be unnecessary.

GELI also supports using cryptographic hashes for authenticating data.. but of course this just means you get IO errors instead of mangled data, and it takes quite a lot of space.

Re:Watermark?

[networkBoy]

simply using zips would obfuscate this, yes, since compression works by removing redundancy (thus increasing entropy).

As to backups out of date,
All you need is the previous backup and the current encrypted volume. Since most people do not back up after every file change, there is your required delta.

There are three easy solutions:
*backup to a separate encrypted volume with unique encryption keys.
*use entropy increasers in your encrypted volume (zip, rar, etc.)
*don't backup your encrypted volumes.

Re:Watermark?

[kasperd]

How much random data does it need? An amount equal to what's being written?

No, it doesn't need nearly that much. For each sector written it needs 16 bytes or randomness from the system random number generator as well as 16 bytes from its own PRNG. So that amounts to just 1/16th of the size of the data. For reading it need to generate the same 16 bytes using its own PRNG before it can decrypt the data. I am pretty sure it is not the PRNG that is going to be the bottleneck but rather the AES encryptions. (If you have hardware to do AES but not to do the random numbers, then it might be different).

As for your suggestions on how to fix the nonatomicity, I don't know the solutions you suggest well enough to say whether they will work. But they sound like plausible solutions.

Re:Watermark?

[tuomoks]

@kasperd, good replies! I enjoy reading them.

I used to work with hardware designers, mostly just for performance and reliability but also some on controller level en/decryption - part of performance issue simulation and modeling. I don't know the current development but at that time they had controllers talking to each other - mirroring, who had what, what was already on disk or still in buffers, whatever. Coming back from a power failure and resynchronizing, blah, blah. And of course keeping the OS's (on two separate systems!) up to date.

Anyway, at that time if the sectors did go to the same track they were streamed, not written separately - sometimes more than what belonged to one write, controllers optimized / reordered the writes writes and reads. Actually some OSs / I/O subsystems do that already on channel program level. The reason you can sometimes see amazing throughput. If the next sector didn't fit to that track then of course there was a delay even with more than one arm - well, maybe, sometimes!

Back to the topic, you are right - any entropy makes it easier, not easy but easier, to decrypt, interpret, decipher, translate or just to find patterns and/or statistics - it is just math when talking about computers or something else, behavior, chemical bounding, whatever when talking about nature.

Re:Watermark?

[DamnStupidElf]

Since the encryption is done at the block device layer, it shouldn't be part of the file system but rather a part of the encryption layer. Except from that detail, I agree with you. However doing it is tricky. When you take a logical sector with 512 bytes of data and put it together with a small IV, it no longer fits in a 512 bytes sector. So you have to come up with a layout on disk that is efficient. And then you have the problem of updating it. Because you cannot write two sectors to disk atomically (with some disks you can't even write one). So you end up having the potential of data loss if an update does not complete because of a power failure. And the data loss is not guaranteed to affect only the logical sector you were writing at the time. I am still thinking about the problem. A raid layer have some similar problems, and I have been considering whether merging those two layers would help solving this problem. A can see a few other advantages you could get from merging a raid layer with an encryption layer.

Basically the IV's themselves would require a journal. To make the file system trusted as well as private, an HMAC for each block should be stored next to its IV, and this helps significantly with a journalling scheme. Reserve enough of the first sectors of the underlying device to store an IV and HMAC for each block, and some more sectors for the journal. I don't have much experience with actual file system journalling, but it seems to be like the simplest scheme is a full block for a header (so that it's an entire sector) with the block number, an HMAC of the journaled IV+HMAC block, and then followed by a complete IV+HMAC block in the next adjacent block. The best part of the scheme is that it's readily apparent whether a given journal block should be applied to the IV+HMAC sectors; just compare every block that the IV+HMAC is for and see if it properly decrypts and validates the block. If it does, write it to the main IV+HMAC location. If not, compare the original IV+HMAC for those blocks and merge them together to recover as much data as possible, write this new block to the journal, and then into the main IV+HMAC area.

Basically, if a device is composed of N blocks of size B, and you're using I-byte IVs and H-byte HMACS, you need N*(B/(I+H)) blocks for the IV+HMAC area at the start of the disk, and the individual IV+HMAC for a block C is stored at byte offset C*(I+H) in that area. Pretty simple mapping, and the journal would just store whole blocks from that area when an update needed to be made. The journaled block would be written first, and then the encrypted block, and finally an update to the main IV+HMAC storage area. That would ensure the most recoverable possibility in the case of data loss at any point. Obviously a write to an encrypted block that fails half way through is completely lost, but that's a problem for the file system at a higher layer to deal with, since that happens with physical devices as well. The journal could just be a simple FIFO written in ascending order and then repeating from the beginning while ensuring that any additions to the journal are actually flushed to the main IV+HMAC area at some point before it's overwritten. The entire journal would be examined every time the file system was mounted to see if anything needed to be replayed or recovered. Since disks don't always order writes properly, it would be good to always check both the normal location for an IV+HMAC as well as what's in the journal for any given block, because the journal may actually be more stale than the normal location.

I've been working on developing a file system based on hash trees as well, which is a pretty similar concept and could support encryption pretty cheaply as an addition of IVs to the entries in the hash tree. There's some advantages to having a disk layout like I described for storing the hash tree, because storing indexes to block locations is not necessary if the hash for any given block is always at a given offset on the disk, with a jour

Re:Watermark?

[kasperd]

You clearly have some good ideas there. To protect against certain active attacks against encrypted devices, you would actually need a hash tree and a signature or MAC of the root of the tree. I know that ZFS already has some of it. And I agree that some of the integrity it provides is useful for the raid layer as well. And yes, journaling is one way to handle the atomicity issues. It applies to file systems as well as an encryption that does use the extra space. I am not entirely sure what the right kind of layering is. On one hand I feel that integrating all the layers with encryption, raid, journaling, and file system, could end up being a bad spaghetti. On the other hand. I can see what advantages it gives. As for the on disk layout, I don't think an area at the start of the disk for IVs and MACs is the way to go. I think you would get better performance by putting that data in single sectors spread across the disk. One such sector for every n physical sectors on disk, where it would be related to the sectors just before or after.

Compressed images

[Lord+Lode]

Does this also count for compressed images like PNG and JPG? After all those aren't bitmaps anymore - and removing redundancy by compression is always a good idea for encrypting afaik.

Re:Compressed images

[cjonslashdot]

I had the same thought. From the description it sounds like the attack is based on the existence of regularity (low entropy) in the file. Any technique such as compression that increases the entropy should defeat the attack as it is described. Since most images today are compressed, it would seem that the attack would have no practical impact. But perhaps it works differently than explained.

Re:Compressed images

[mrbah]

Anything that's gone through run-length encoding is going to have very high entropy, so JPG and PNG images are safe.

Re:Compressed images

[mikesd81]

See this quote with this article.

Re:Compressed images

[mikesd81]

Eh. Wrong quote, right article.

Re:Compressed images

[Goaway]

Run-length encoding doesn't give you all that high entropy, and neither JPG nor PNG uses it.

Re:Compressed images

[perlchild]

I was actually thinking the compression headers and other well-known features of such formats would be used as cribs for decryption...

Re:Compressed images

[azgard]

LZ77 is not run-length encoding. Run-length encoding only encodes repeated sequences of same letters, while LZ77 encodes repeated sequences as pointers to the previous instance of the same sequence.

Re:Compressed images

[Goaway]

Lempel-Ziv is not runlength encoding.

Re:Compressed images

[jbengt]

IIRC, jpeg uses run-length encoding (at least to a limited extent). It avoids individually storing all those 0's arising when the quantization throws out unimportant high frequencies.

Re:Compressed images

[Lord+Lode]

Ok you're right - well, it depends on when you call it runlength encoding :)

Re:Compressed images

[Goaway]

Oh, right, it does. But it certainly doesn't account for all of the entropy increase.

Only works on uncompressed bitmaps

[mrbah]

The article points out that this attack only works with uncompressed bitmaps with extremely low entropy. This is hardly a cause for alarm.

Re:Only works on uncompressed bitmaps

[clarkkent09]

Whew, thanks for pointing that out. Most of my encrypted porn is jpgs

Re:Only works on uncompressed bitmaps

[Artraze]

Indeed. However, it is still very interesting news. This demonstrates an attack against encryption without actual decryption. While perhaps not exactly a first, the fact that it is exploitable under real world circumstances* makes it quite important. Indeed, this may be the first nail in the coffin of simple block cyphers.

*While most people don't store uncompressed bitmaps, I have to imagine that camera RAW files wouldn't be too uncommon, and the attack may be adaptable to include those (they usually use RLE though, IIRC).

Re:Only works on uncompressed bitmaps

[Naughty+Bob]

Most of my encrypted porn is jpgs

Why would you need to encrypt your porn... unless....

Dude! Won't anybody stop you thinking about the children?

Re:Only works on uncompressed bitmaps

[strstrep]

The attack shown works on an image with a bit depth of 2. Camera RAW files have much higher bit depth, and unless you're saturating the whole sensor, I would imagine the image does not contain significantly large values of the same exact pixel value.

Re:Only works on uncompressed bitmaps

To expand on your point:

What they are doing (although they don't put it like this) is searching for blocks in the compressed data whose pre-image is all zeroes (i.e. a large patch of white in the original image). For this to produce anything useful the image must be huge (so that a single scanline spans several blocks) and must contain large of areas of pure white.

In other words, their technique only reveals enormous, low colour-depth, uncompressed images. Do such images actually exist in real life?

Re:Only works on uncompressed bitmaps

[vlm]

In other words, their technique only reveals enormous, low colour-depth, uncompressed images. Do such images actually exist in real life?

Yes tactical military maps

Re:Only works on uncompressed bitmaps

[ColdWetDog]

In other words, their technique only reveals enormous, low colour-depth, uncompressed images. Do such images actually exist in real life?

ASCII Porn?

Re:Only works on uncompressed bitmaps

[caluml]

Like this, you mean? (Couldn't remember the link to that nuyd place, so hot linked - sorry :( )

Re:Only works on uncompressed bitmaps

[RiotingPacifist]

The attack doesnt work on text mediums because of the high level of entropy, once again ascii porn has saved the day. the other time

Re:Only works on uncompressed bitmaps

[tyler_larson]

The article uses images encrypted with in ECB mode (a well-known insecurity) as a visual analogy to the backup-file problem.

The backup-file problem is that when you have two volumes encrypted with the same key (not the same password, the same internal encryption key), the difference between those two volumes can reveal some information about the encrypted data. Perhaps all you can determine is what parts of the volume have changed, but that's more than nothing, and therefore unacceptable.

The is a "backup-file" problem because you NEVER have two volumes encrypted with the same internal key unless one starts out as a "backup" copy of the other.

The product mentioned in the article "fixes" this problem by providing an explicit "backup" function. This function creates a new volume containing the same data as the original, but which is encrypted using a different internal key. The hope is that because such an option exists, users will be dissuaded from simply storing bit-for-bit backups of their encrypted volume.

Nothing about this is ground-breaking or even novel, but the concepts at play are important for consumers of encryption products, so the attention is worthwhile.

Re:Only works on uncompressed bitmaps

[Profane+MuthaFucka]

If you die, someone's going to go through your computer and discover how naughty you were. This is inconvenient, because it's hard to make the point that your porn collection is no worse than typical if you're dead.

Heaven won't be quite as much fun if you look down on your wife going through your special folder. She'll kick your ass when she gets up there.

Re:Only works on uncompressed bitmaps

[Chatterton]

Except nightsky picture who are mostly black... But why encrypt these ? :D

Re:Only works on uncompressed bitmaps

[HTH+NE1]

Except nightsky picture who are mostly black... But why encrypt these ? :D

They can reveal the time and location you took your naked-girls-on-trampolines-at-night fetish porn.

Based on comparison of two versions of the volume

It was always risky to have two versions of a block-structured file encrypted with the same key. You can see the changes. That may tell an attacker things about the encrypted data (filesystem, size of files, etc.) If you backup encrypted volumes, either put them in another container or decrypt the files and store them in another container with a different key. Never keep different volumes with the same key. The attack is of significance for law enforcement, which may be able to enter the premises of a suspect and get copies of an encrypted volume at two different points in time. (A hint for Truecrypt users: Changing the passphrase does not change the key.)

What about crypto modes? Never heard of CBC, CTR?

[boldi]

I just scanned these articles, but just from the fact I don't see a single occasion to talk about crypto modes, such as ECB,CBC,OFB,CFB,CTR etc., I'm unhappy.

20+ years old knowledge, probably badly designed software, some special attack against very bad design, and then a panic-like hype against encryption.

So please, tell the newspaper writers to learn somewhat about security and only after that start to write hype-like articles..
Sad.

Re:What about crypto modes? Never heard of CBC, CT

[exscape]

Yes, I didn't get this as well. I'm by no meant an encryption pro, but I've at least implemented CBC and CFB modes, and I don't quite see how they could find outlines in a CFB encrypted image (for example!). I mean come on, the wikipedia article has for a long time had an ECB (the "worst" mode) encrypted image in the article about block cipher modes: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29

It seems

[mikesd81]

this attack only works on volumes containing bitmap files. From the article:

The problem is that bitmaps often display low levels of entropy, such as would be the case in pictures taken at night with large areas of high contrast. Roellgen's attack is based on comparing two volumes encrypted into scrambled ciphertext using the same symmetric or 'static' key, where the original subsequently has new files added. This yields a pattern of structured similarities and differences that can be used to reveal some of the original information in plaintext form.

The attack doesn't work for other types of data, for instance text files, because the entropy levels are too high. But it is believed to effect almost any encryption program currently on sale as long as the two volumes being compared use the same encryption key whilst being slightly different from one another.

The summary title and summary write up are a little ambiguous.

no IV and thus ECB-mode is probably the problem

[ion++]

The problem is most likely that they use ECB-mode and no IV. Using a different mode, like CBC might solve the problem. The problems with ECB are well known, even wikipedia has an entry about this problem http://en.wikipedia.org/wiki/Cipher_mode

Re:no IV and thus ECB-mode is probably the problem

[Goaway]

Once again, CBC doesn't work on disk images that need fast random access.

http://en.wikipedia.org/wiki/Disk_encryption_theory

Re:no IV and thus ECB-mode is probably the problem

[mikenap]

As I replied before:

It does work by breaking the disk up into sectors, each of which starts a new chain. The problem is an IV is used to "start" the CBC chain, and this IV is static as the underlying plaintext changes. So new changes on the same point of the HD get encrypted with the same IV.

Re:no IV and thus ECB-mode is probably the problem

[Free+the+Cowards]

Yup. "Everyone knows" that reusing the same key/IV on more than one piece of data means that you're screwed. The Soviets learned this lesson in a painful manner on what were supposed to be one-time pads during WWII. If these programs are really re-using the same key and IV for different revisions of the data, then they are horribly broken and this is just the barest beginning of how.

The bad news is that this would seem to indicate that a fair amount of full-disk encryption software is absolutely, horribly broken and cannot be trusted in any way. The good news is that this break is nothing particularly interesting in and of itself, and that it will do nothing against a competently designed product.

Re:no IV and thus ECB-mode is probably the problem

[Free+the+Cowards]

Oh, and if you follow the link from the article you'll find that this attack is being published by the makers of TurboCrypt, which was incompetently designed and thus vulnerable to this attack, but has now been fixed. The makers of this app (which you should probably stay away from, if they made such an elementary mistake then who knows what other problems it has) are essentially hyping this fairly inconsequential discovery in order to sell their product.

In conclusion: lame.

Re:no IV and thus ECB-mode is probably the problem

[profplump]

Once again, the very article you link to describes how it does:
http://en.wikipedia.org/wiki/Disk_encryption_theory#CBC-based_approaches

Not new

[TheLink]

It's not new, it's old stuff.

As long as you backup the entire drive image - they will know that you made changes. Salt does not render this attack useless.

This is why you do not backup images of encrypted drives (or reencrypt changed documents with the same key - this is normally not a problem for decent file crypto).

If you are going to backup data that's on an encrypted drive, you copy the files and reencrypt them to your backup media.

Re:Not new

[mysidia]

If you are going to backup data that's on an encrypted drive, you copy the files and reencrypt them to your backup media.

If you're concerned about security, you have two drives.

Periodically, you rebuild the encrypted container on the spare drive, begin encryption anew on the new drive with a brand new key.

Overwrite the old drive's encrypted container with random data.

This assures you periodically change your encryption keys, so if someone guessed or discovered your old key, it will be rendered useless next time you cycle your media, rebuilding the filesystem inside a new encrypted volume with a new key.

Re:Not new

[Creepy+Crawler]

And make sure to disable firewire IF you think the feds (or other high-tech snoops) are around.

Firewire is a hole in RAM and can access anything. One could create a hole in RAM and have console auto-log you in. There's even a python-firewire auto-hacker for Windows machines. Got a server with firewire? It's as easy as 1,2,3.

Not Cool.

Re:Not new

[mysidia]

Best to use Linux and manually choose all modules; disable automatic probing for new hardware, and USB also.

Possibly run a script when you step away from the computer to shutdown everything except keyboard and video.

Who knows what bugs may be found in other hardware or drivers...

On second thought... best to put PC in a metal lockbox with hidden toggle switches that will cause the PC to automatically reboot if the cabinet is opened, moved, or cut into with any tool, to prevent any hardware manipulation.

On third thought... better to reboot whenever you walk away, and make sure there is a RAM scrubber during the boot process. Never know when someone might try to eject a RAM stick and read your encryption keys off of it.

Perhaps have your screen saver timer set to auto-reboot on idle.

Either that or close all files on the secure volume and scrub all encryption keys from memory after an idle timeout.

Re:Not new

[Creepy+Crawler]

The firewire disable is just stopping the low-hanging fruit.

You wouldnt leave telnet enabled, unfirewalled on the internet, would you? Same thing. And most people I know dont use firewire.

Re:Not new

[HTH+NE1]

On third thought... better to reboot whenever you walk away, and make sure there is a RAM scrubber during the boot process. Never know when someone might try to eject a RAM stick and read your encryption keys off of it.

Wouldn't you want to do that as a shutdown process as well (i.e. before the reboot)?

Re:Not new

[Raenex]

I just run my computer in a hidden dimension only accessible to myself.

TrueCrypt is immune

[PhrostyMcByte]

If I am reading this correctly, they are describing a well known problem with plenty of well known solutions. One such is XTS, which is what TrueCrypt uses.

Old news for TrueCrypt

[martinw89]

Not only is the sensationalist article/summary only pertinent to uncompressed bitmaps, TrueCrypt has warned their users about backing up hidden volumes for a long time (source). In fact, it's the first precaution in how to keep your hidden volume secure.

So people worrying about steganography on TrueCrypt volumes shouldn't, they've been telling you how to keep these volumes secure already.

Re:Old news for TrueCrypt

[ORBAT]

Because telling people not to do something stupid is always effective, right?

Re:Old news for TrueCrypt

[martinw89]

Not always, but it does certainly go against the following from the summary:

...the attack also breaks the ability of users to 'hide' separate encrypted volumes inside already encrypted volumes, whose existence can now for the first time now be revealed.

I wouldn't call something that encryption experts have known about and warned users about for a long time new.

Re:What about crypto modes? Never heard of CBC, CT

[Goaway]

You don't use any of those modes on disk images, because you need fast random access.

http://en.wikipedia.org/wiki/Disk_encryption_theory

Encrypted harddrives not affected

[grahammm]

As this requires at least 2 images with the same key, encrypted 'working' hard drives are not vulnerable unless you make sector level backups. I would imagine that anyone who has illegal images (such as child porn) on their encrypted hard disk would not make backups of such images.

Not New at All

[phantomcircuit]

This is far from a new revelation, they used AES in ECB mode to encrypt the uncompressed bitmap.

As you can see on the wikipedia page for ECB this attack has been known for a while.

Re:What about crypto modes? Never heard of CBC, CT

[Kaptain_Korolev]

Completely agree, I thought the same although I have seen ECB used a lot simply out of ignorance and/or laziness. Something like counter ( CTR ) mode is very very very easy to implement and increases the security immeasurably. Like in most crypto solutions, there is no point having a strong cipher like AES when the protocol you use it within is a pile of plops, such as here.

Re:What about crypto modes? Never heard of CBC, CT

[Fnord666]

I just scanned these articles, but just from the fact I don't see a single occasion to talk about crypto modes, such as ECB,CBC,OFB,CFB,CTR etc., I'm unhappy.

It doesn't? What about the part in TFA that reads:

...This attack requires NO knowledge of the key used for encryption and it applies to ECB Mode (Electronic Codebook), Counter Mode (CM), Galois/Counter Mode (GCM), LRW, XEX, XTS, as well as CBC-based modes of disk encryption applications (OTFE).

Re:What about crypto modes? Never heard of CBC, CT

[Kaptain_Korolev]

Maybe, but surely you could implement a sort of low resolution cipher chaining so that you used the chaining on only a small number of blocks. Enough to cover up any entropy analysis of what you were encrypting. Doing this on a small number of blocks would reduce the computation an add to security... I think* * This isn't my area any more, I've been out of the electronic crypto game for several years.

sounds like FUD

[Bender_]

Ok, so they are able to extract some information from a ciphertext that was created from a low entropy plaintext. It is quite obvious that redundancy in data creates vulnerabilities. This is exactly the reason why any serious encryption software applied data compression (entropy coder) before encrypting.

Actually simply storing images in any format with data compression would completely invalidate this method. (eg. JPG, TIFF, PNG, GIF)

Re:What about crypto modes? Never heard of CBC, CT

[Goaway]

I linked the article that explains what to actually do, you know.

who to blame:

[davidsyes]

Ken Starling!

Re:What about crypto modes? Never heard of CBC, CT

[Kaptain_Korolev]

Ah ha, sorry, must learn to read!

Re:Based on comparison of two versions of the volu

[leuk_he]

Flash media.

Which at the same time makes flash media vulnerable. The wear leveling feature of flash media could cause an old verion of a block to stay on memorychip, making it vulnerable to exactlyy this kind of attacks.

nonsense

[speedtux]

In order to be able to use this attack, the image needs to be completely uncompressed, you need to be using a dumb encryption system, and you need to know where the bits making up the image are stored. In practice, none of those are going to be true.

Re:nonsense

[Jesus_666]

Actually, I found an equally serious security hole that all encryption schemes are succeptible to: The known plaintext attack. If I already know the plaintext I can write a program that produces it, no matter how strongly its encrypted form is. I can even produce the known plaintext without any ciphertext at all!

Re:nonsense

[calmofthestorm]

Shit! *thermites hard drive*

Windows desktop backgrounds

[argent]

In other words, their technique only reveals enormous, low colour-depth, uncompressed images. Do such images actually exist in real life?

Since native windows desktop backgrounds are BMP format images and often mostly one color except for an image on the side or bottom. they would be perfect targets.

I don't know if any of the backdrops in the standard Windows install qualify, but I suspect not.

Why RTFA when you can guess?

[Kaseijin]

The problem is most likely that they use ECB-mode and no IV. Using a different mode, like CBC might solve the problem.

"This attack requires NO knowledge of the key used for encryption and it applies to ECB Mode (Electronic Codebook), Counter Mode (CM), Galois/Counter Mode (GCM), LRW, XEX, XTS, as well as CBC-based modes of disk encryption applications (OTFE)."

NOT the ECB flaw!

[Kaseijin]

Just looking at ECB ciphertext reveals patterns in the plaintext. This attack requires plaintext with known properties to be encrypted with the same key and IV as the text of interest, and it affects many other modes.

IV problem and flash disk

[CustomDesigned]

The problem is the IV for CBC never changes for a given sector - mainly because there is no provision to atomically write both a 512 byte sector and its 48+ bit IV. I *have* read about a disk designed for full disk encryption which provides 520 byte sectors instead of 512 byte sectors. That completely solves the problem.

Some disk encryption uses non-atomic sector writes (store IVs in a separate physical sector). This risks data loss should one get updated but not the other.

I will note that the problem is more easily completely solved for flash media - where it is easier to (atomically) tag sectors with additional data.

Re:IV problem and flash disk

[Noishe]

Or, you simply write down both the old IV and the new IV at the same time, then write the other sector, and you're done. Add a checksum block so you can tell which key is the correct one.

Re:What about crypto modes? Never heard of CBC, CT

[RiotingPacifist]

Erm why do you need fast random access to backups? The weakness is only if there are to images(disk images) containing the same image(bitmap).

Re:What about crypto modes? Never heard of CBC, CT

[RiotingPacifist]

in fairness i stoped reading after i saw

PMC Ciphers demonstrated TurboCrypt's defence against another great weakness of encryption software, Trojan keyloggers

oh right that was the end, but seriously WTF that doesn't make any sense, hardware keyloggers? rootkits?

Re:What about crypto modes? Never heard of CBC, CT

[Goaway]

These aren't backups.

Re:The amount of misconceptions here is appalling

[Kythe]

The point about detecting hidden volumes is certainly a good one, but also obvious and one that has been noted in Truecrypt documentation and elsewhere for a long time now.

That's one reason why I prefer to use hidden volumes with read-only media (e.g. full-volume CD-ROMS).

RLE in images

[DrYak]

Plain JPEG uses runlength and huffman encoding on the quantized matrix obtained after DCT.
This is relatively efficient because there are a lot of long string of repeats in the matrix (see Wikipedia article).

(This is where some applications such as Stuffit have been able to non-destructively increase the compression of JPEGs and gain a couple of 1% by using better algorithms to store the quantized results)

In lossless mode, JPEG uses instead Arithmetic coding on the raw non-quantized results of DCT.

PNG uses LZ77 (either on the raw pixels or on a delta) wich is an entirely different beast. As pointed out by other /.ers it's a *dictionary* compression which replace repeat parts with pointer to where to they where repeated first :
"ABACDABA" becomes "ABACD{go back 5 letters and copy 3 letters}"
It doesn't need a separate RLE mode, because the dictionary can be abused as follow :
"ACCCCCC" in RLE is "A{repeat 6xC}" and in LZ77 is "AC{go back 1 and copy 5 letter}"

Is this a "known plaintext" attack?

[grandpa-geek]

It sounds like if the image is included in the encrypted message and you have a copy of the unencrypted image, it may be possible to break the entire message. That is what is known as a "known plaintext attack." It isn't exactly a new idea, although its application to files/messages with embedded images might be.

Re:TrueCrypt is NOT immune

[JesseMcDonald]

"This attack requires NO knowledge of the key used for encryption and it applies to ECB Mode (Electronic Codebook), Counter Mode (CM), Galois/Counter Mode (GCM), LRW, XEX, XTS, as well as CBC-based modes of disk encryption applications (OTFE)."

A little off-topic...

[Spy+der+Mann]

Most of my encrypted porn is jpgs

Why would you need to encrypt your porn... unless....

Dude! Won't anybody stop you thinking about the children?

Privacy mode FTW!

But speaking seriously, securing your privacy is something you should ALWAYS do if you have a family - especially if you watch porn. Moral issues aside, depending on where you live, if your little brother (and/or his friends) finds your collection, you could get in serious trouble.

It happened in the city where I live. A teacher was fired because his son (who attends the same school) invited some of his friends to play on the computer. Unfortunately, the browser history wasn't cleared and guess what page appeared when they opened up Internet Explorer... obviously, the kids didn't keep their mouths shut.

Re:What about crypto modes? Never heard of CBC, CT

[RiotingPacifist]

Erm why do you need fast random access to backups? The weakness is only if there are two images(disk images) containing the same image(bitmap).

OOPS

as you cant compare a single image of a disk, and why would you have 2 images of a disk around for anything other than backups?

*if your running raid-1 with 2 disks youd have to identical images making the attack useless

Re:What about crypto modes? Never heard of CBC, CT

[Goaway]

Oh, so terribly sorry, let me just change that to "none of those except one".

The "discoverer" has reinvented an old attack...

[Joce640k]

Maybe this amateur cryptographer should read a few more cryptography books (or even Wikipedia) before claiming something new.

Two issues...

[gillbates]

But it is believed to effect almost any encryption program currently on sale as long as the two volumes being compared use the same encryption key whilst being slightly different from one another.

There are two issues that immediately come to mind:

1. Any encryption solution which has a halfway decent key management scheme will have a low probability of using the same keys... (However, key management is still a relatively nascent field within cryptography; the lack of serious, public study of this issue is one of the reasons why even public key cryptography is not secure in the hands of a novice - a simple "sign my sig" attack can be used against those who don't know any better. I know I'll probably get flamed for this, but the lack of a good, easily managed key-management scheme is one of the reasons why gpg has not been widely adopted, in spite of the fact that it is rather easy to install and use. As the matter of how best to make the tradeoffs between security and usability is not mathematically provable, progress in this area has been and will continue to be slow.)
2. One of the enduring tests for encryption algorithms is the degree to which they disguise the degree of entropy in the plaintext. The issue of the "proper" way to do secure disk encryption is also relatively nascent. The problem of what to do with the relatively low entity in filesystems, the prevalence of easily predicted data (for example, inode tables and FATs are relatively predictable) has been one of the enduring problems of full disk encryption. Wikipedia can give one an idea of where this has been and is going. The oldest listed disk encryption software is only 15 years old. Considering that DES, is ~30 years old, and the concepts of public key crypto were discovered shortly after WWII, there has not been a lot of time for the study of this area.

Re:Patents?

[retchdog]

The government has been known to nationalize whatever patents it wants, if it's too much bother to license them. It's then presumably free to re-license them to whomever it pleases.

Huh?

[Jane+Q.+Public]

Quote: "the attack also breaks the ability of users to 'hide' separate encrypted volumes inside already encrypted volumes, whose existence can now for the first time now be revealed."

Excuse me, but wasn't this mentioned right here some months ago? And turned out to be a special case?

Not to mention the poor grammar. "whose existence", indeed.

Border Agent attack

[SmilingSalmon]

Lots of people here are talking about users backing up their own data, but what about a border agent backing up your data? There's some real danger. Let's say you regularly pass through an international border where the country has a policy of making back ups of your laptop drives. Many corporate travelers are in this situation. The border agent takes a quick snapshot of your drive on Monday morning. You leave the country on Friday, but return the following Monday. When you return next Monday, they take another snapshot. Bingo. If any of your files have changed but the drive key is the same, they've got the backup they need to prove you have a hidden drive and even find the vulnerable images.

differences

[andy_t_roo]

from TFA : "But it is believed to effect almost any encryption program currently on sale as long as the two volumes being compared use the same encryption key whilst being slightly different from one another"

-- OMG !eleventy-one - if you encrypt 2 slightly different things with the same key you can almost recover the pattern of differences between them. The example on the 'site only works because they take a blank image then compare it to a real one, of the same size encrypted with teh same key. The only way this attack would work in real life is if they had the key (unless people have a large habit of saving, and then backing up, large blank images before storing a picture (which has a large blank background) at the same location.

to avoid : a) initialize the "blank" space in any ecrypted volume to random numbers. b) don't store 2 hours worth if pure black video uncompressed at the same location as any data which has large blocks of ones or zeros.

In other words, if you use a block encryption scheme, then change the data in 1 of the blocks, the encryption only changes in that 1 block, and so you can recover the pattern of differences.

Re:differences

[calmofthestorm]

Definitely fud, given it's coming from some no-name proprietary firm. This reeks of snake oil to me.

The author's assumptions are completely absurd and the article itself seems deliberately poorly written.

FUD has a strong effect on the weak minded.

Now if you'll excuse me, I'm waiting for my hard drive to Caesar Shift with my Vaporware 8000 FDE.

This is not really a "ciphertext only" attack

[rhythmx]

This is neat, but it seems like a whole lot of hyperbole. What this is a chosen plaintext attack with a very small domain to choose from.

• The attack requires an encrypted bitmap, and another encrypted bitmap of the exact same size and color palette.
• The two ciphertexts must be saved and extracted from the exact starting block number on the disk (because the block number seeds the cipher)

This attack will only effect uncompressed images, because compression increases the entropy so that pixel information will be entirely different as the colors change.

Finding a pair of encrypted twin images like this is nearly impossible. How can they even tell where an image starts on disk when the filesystem itself is encrypted? Not to mention the very strict (and unlikely) requirements on the images themselves. The odds of actually being able to exploit this on a live system are very low IMHO.

Does this mean...

[Thelasko]

I can use this to collect the bounty on the Gpcode virus?

Great idea!

[CustomDesigned]

No one modded you up, but kudos anyway. That sounds like a workable scheme - but it still costs twice as much disk io. There is probably a way to optimize that as well. I wonder also if having two IVs on disk is a security weakness?

Re:Great idea!

[Noishe]

increase the bit length as needed

Not very likely

[collinl]

So, this means ant in an encrypted volume, where the directory and node structure are not visible, you need to 1) identify where an encrypted image is, and apply this comparison algorithm to the EXACT same unencrypted image, to see if it's there.

In other words, the best that this can really do is prove is an image is is in the encrypted volume, by applying the comparison algorithm every 512/4096 bytes along the volume's byte array.

Good for providing a law enforcement case, not much for detecting evidence of a crime - unless you are stupid enough to leave the images around as unencrypted versions as as well as encrypted.

lyalc

Re:What about crypto modes? Never heard of CBC, CT

[calmofthestorm]

False. I use XTS. If you use well-written software (dm-crypt + luks) you barely take a speed hit. I'm on serpent-xts-essiv:sha256 with a 256 bit key and I lose 20% disk access speed or so. Not even noticable unless I'm copying large chunks of data.