12.04.4 alternate installer encryption should default to aes-xts-plain64
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
partman-crypto (Debian) |
Fix Released
|
Unknown
|
|||
partman-crypto (Ubuntu) |
Fix Released
|
Undecided
|
Dimitri John Ledkov | ||
Precise |
Fix Released
|
Undecided
|
Dimitri John Ledkov |
Bug Description
[Impact]
* Default LUKS encryption settings in the installer are proven to be susceptible to a malleability attack (targeted manipulation of encrypted data).
* Thus it is proposed to bump defaults to aes-xts-plain64 which is believe to not be affected by above attack.
[Test Case]
* Perform LUKS encrypted installation using d-i (text) based interface
* After installation verity that XTS has been used, and not CBC.
# cryptsetup luksDump /dev/sda5|grep Cipher
Here is the sample of _bad_ (CBC) output:
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Here is the sample of _good_ (XTS) output:
Cipher name: aes
Cipher mode: xts-plain64
[Other Info]
12.04 LUKS encryption in the installer defaulted to CBC. We should switch 12.04.4 to aes-xts-plain64 as in 12.10 and above.
Changed in ubiquity (Ubuntu): | |
assignee: | nobody → Dimitri John Ledkov (xnox) |
status: | New → Fix Released |
Changed in ubiquity (Ubuntu Precise): | |
milestone: | none → ubuntu-12.04.4 |
assignee: | nobody → Dimitri John Ledkov (xnox) |
affects: | ubiquity (Ubuntu) → partman-crypto (Ubuntu) |
description: | updated |
Changed in partman-crypto (Ubuntu Precise): | |
status: | Confirmed → In Progress |
description: | updated |
Changed in partman-crypto (Debian): | |
status: | Unknown → Fix Released |
Status changed to 'Confirmed' because the bug affects multiple users.