Open lipnitsk opened 10 years ago
I think every 123 bytes block is written using stream cipher (so this creates garbage), until you are ready to write enough bytes (up to blokSize) to read (stream-encode) them again and re-decode the whole block correctly using CBC.
Confirmed (here blockSize is 1024) :
VERBOSE FileNode::write offset 984, data size 123 [FileNode.cpp:247]
VERBOSE streamRead(data, 984, IV) [CipherFileIO.cpp:350]
VERBOSE Called blockWrite [CipherFileIO.cpp:420]
VERBOSE Called streamWrite [CipherFileIO.cpp:429]
Strangely, in your failing example above, file get truncated by dd at the end of the 123 bytes written block (I reproduced it). There is a bug somewhere :)
Oh, my bad! You are right, the truncation is what causes the garbage:
dd if=b/eNZPWSyw0rxU7T37UwNN3,n9 of=c/eNZPWSyw0rxU7T37UwNN3,n9 \
bs=123 seek=43 skip=43 count=1 conv=notrunc
$ md5sum a/zero d/zero
2d56b031dc8683c233c016429084f870 a/zero
2d56b031dc8683c233c016429084f870 d/zero
What's the current state of this issue?
From: https://defuse.ca/audits/encfs.htm
Exploitability: Unknown Security Impact: High
As reported in [1], EncFS uses a stream cipher mode to encrypt the last file block. The change log says that the ability to add random bytes to a block was added as a workaround for this issue. However, it does not solve the problem, and is not enabled by default.
EncFS needs to use a block mode to encrypt the last block.
EncFS's stream encryption is unorthodox:
This should be removed and replaced with something more standard. As far as I can see, this provides no useful security benefit, however, it is relied upon to prevent the attacks in [1]. This is security by obscurity.
Edit : [1] may be unavailable, so here it is from archives.org :