5 Replies Latest reply: Aug 9, 2012 5:20 AM by g_wolfman
Michel Colman Level 1 (15 points)

I have a very elaborate passphrase using letters, digits and punctuation marks that I'm fairly confident nobody will ever be able to crack even if they have the seed and hash and a couple of million GPU's to throw at it.


However, from a cryptography course I know that if two "messages" have been encrypted using the same "pad", you will be able to extract information by or-ing the messages, for example.


Now I'm sure that the encryption scheme in OS X is much more sophisticated, but just to be sure:


If I encrypt two disks using the same passphrase, and somebody steals both disks, would that make it easier for them to crack it? Is there some way they could exploit the fact that the passphrases are the same? Could they find data by combining the data on the two disks?


I assume it's not possible, but just checking.

  • g_wolfman Level 4 (1,120 points)

    The biggest risk is this:


    IF someone breaks the passphrase on one of your disks, then they will certainly try it on the other disk just in case you re-used it.  And they would be correct.  Just as someone who compromised one of your on-line passwords would test it for reuse (think someone finding out a Windows Live password and then going "Gee, I wonder if they used the same password for Xbox Live...").


    As far as I know, the AES encryption used by Apple doesn't even have any known plaintext attacks, let alone ciphertext attacks.

  • MrHoffman Level 6 (14,750 points)

    Short answer: don't worry.  AES-256 is currently a secure scheme.


    Long answer: If your reference to a "pad" is to the reuse of a so-called one-time pad scheme, that's a very different cryptographic system than what's typically used now, and the attacks against a reused one-time pad are different sorts of cryptographic attacks.


    If you're using a one-time pad for a whole disk, you either need a ginormous one-time pad that's itself as big as the disk, or you'll get data that's repeated; a typical disk has great wads of zeros and ranges of blocks of zeros, after all.


    In modern systems, it's quite common for the same private key to be used for thousands and even millions of messages, when asymmetric encryption is used.


    Now I don't know which encryption algorithm is currently being used to encrypt DMGs, but I'd suspect it's still AES-grade encryption.


    AES works very hard at making the results of the encryption process as close to random as it can manage, which reduces the exposure to frequency-based attacks.  (This is also why effectively-encrypted data can't be compressed; there should be no repeats.)  This randomness is part of the basis for the attacks against the one-time pad; that the output of the pad - the encrypted data - if the one-time pad is re-used - isn't really random.  Particularly if you know (or can guess) some of the cleartext, too.  Or those big blocks of zeros.


    Now the other central discussion here is around how much somebody would pay to decrypt your data.  Because if your data is worth enough to the attacker, then there can potentially be other ways to attempt to gain access, even if AES itself isn't breached. 


    If you're storing some very valuable data (worthy of attacks), then receiving guidance from some yutz like me in an Apple forum probably isn't in your best interest.  But if you're not storing miltary-grade, or financial secrets, or identifying medical data, or credit card data, then AES-256 will do nicely.  And even if you are, AES-256 might be enough.  But check with the crypto and legal folks for details, or with your site security officer.


    And as was correctly noted in an earlier reply, if a password is used once, and once known, an attacker will try it against other systems and servers.  This being another common form of re-use.


    If you're interested here, then get one or two of Bruce Schneier's books on crypto.  If you don't already have them.

  • Michel Colman Level 1 (15 points)

    Maybe I should start with a simpler question:


    If you encrypt two identical disks with the same passphrase, will they look the same or different?


    I would hope some kind of random seed would be added so that they would be different.


    If they are the same, then there might be a possible attack if you have two disks with different data and the same encryption, by comparing the two. (Still pretty difficult though, probably)

  • MrHoffman Level 6 (14,750 points)

    AES has been battle-tested for a while now; you'll need a notable and unique attack to compromise it.


    And for your question, launch Terminal.app and use the provided OpenSSL command to encrypt some small files, and have a look.  (See the man openssl and man enc text and commands, for starters.)


    If you're curious about this topic, read Schneier's books.

  • g_wolfman Level 4 (1,120 points)

    If it makes you feel better to know the details, Apple natively uses XTS-AES, where XTS is a loose acronym for "XOR-Encrypt-XOR-based Tweaked Codebook Mode with Ciphertext Stealing".  In this context, "tweaked" refers to the property that no two sectors on disk are process quite the same way.


    The reason the tweaking property is required is becasue the encryption design for disk encryption assumes an attacker who can read the raw contents of the disk at any time, can ask the disk to encrypt and store arbitrary files of their own choosing and can modify unused disk space and request it be decrypted.


    A very broad overview is available on Wikipedia's Disk Encryption Theory page, and includes links to the relevant papers if you want to know more, as well as an external link to the IEEE standard P1619 for XTS-AES.  That link should have all the technical details you require.