Given the File IV (an IV unique to a file), EncFS generates per-block IVs by XORing the File IV with the Block Number, then passing the result to setIVec(), which is described in Section 2.2. This is not a good solution, as it leads to IV re-use when combined with the last-block stream cipher issue in Section 2.2:
The stream algorithm (see previous section) adds 1 to the IV, which could undo the XOR with the block number, causing the IV to be re-used. Suppose the file consists of one and a half blocks, and that the File IV's least significant bit (LSB) is 1. The first block will be encrypted with the File IV (block number = 0). The second (partial) block will be encrypted with File IV XOR 1 (since block number = 1), making the LSB 0, using the stream algorithm. The stream algorithm adds 1 to the IV, bringing the LSB back to 1, and hence the same IV is used twice. The IVs are reused with different encryption modes (CBC and CFB), but CFB mode starts out similar to CBC mode, so this is worrisome.
EncFS should use a mode like XTS for random-access block encryption.
2.3 from audit: https://defuse.ca/audits/encfs.htm
Exploitability: Low Security Impact: Medium
Given the File IV (an IV unique to a file), EncFS generates per-block IVs by XORing the File IV with the Block Number, then passing the result to setIVec(), which is described in Section 2.2. This is not a good solution, as it leads to IV re-use when combined with the last-block stream cipher issue in Section 2.2:
The stream algorithm (see previous section) adds 1 to the IV, which could undo the XOR with the block number, causing the IV to be re-used. Suppose the file consists of one and a half blocks, and that the File IV's least significant bit (LSB) is 1. The first block will be encrypted with the File IV (block number = 0). The second (partial) block will be encrypted with File IV XOR 1 (since block number = 1), making the LSB 0, using the stream algorithm. The stream algorithm adds 1 to the IV, bringing the LSB back to 1, and hence the same IV is used twice. The IVs are reused with different encryption modes (CBC and CFB), but CFB mode starts out similar to CBC mode, so this is worrisome.
EncFS should use a mode like XTS for random-access block encryption.
Correction 12/05/2014: XTS mode is probably not the ideal option, see Thomas Ptacek's blog post for good reasons why: http://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/
Mirror from upstream: https://github.com/vgough/encfs/issues/10