On 2021-05-25 19:48:54 -0400, Stephen Frost wrote:
> That's how CTR works, yes. The issue that you run into is that once
> you've got two pages which have different data but were encrypted with
> the same key and nonce then you can use crib-dragging.
>
> A good example of how this works is here:
>
> http://travisdazell.blogspot.com/2012/11/many-time-pad-attack-crib-drag.html
>
> Once you've got the two different pages which had the same key+nonce
> used, you can XOR them together and then start cribbing, scanning the
> page for legitimate data which doesn't have to be in the part of the
> data that was different between the two original pages.
IOW, purely hint bit changes are the *dream* case for an attacker,
because any difference can just be ignored. All an attacker has to do is
to look at the writes, see if an IV repeats for a block, and the
attacker will get the *entire* page's worth of data. Either minus hint
bits (which are irrelevant), or with a trivial bit of inferrence even
that (because hint bits can only change in one direction).
Greetings,
Andres Freund