In cryptography, awatermarking attack is an attack ondisk encryption methods where the presence of a specially crafted piece of data can be detected by an attacker without knowing the encryptionkey.
Disk encryption suites generally operate on data in 512-bytesectors which are individually encrypted and decrypted. These 512-byte sectors alone can use anyblock cipher mode of operation (typicallyCBC), but since arbitrary sectors in the middle of the disk need to be accessible individually, they cannot depend on the contents of their preceding/succeeding sectors. Thus, with CBC, each sector has to have its owninitialization vector (IV). If these IVs are predictable by an attacker (and thefilesystem reliably starts file content at the same offset to the start of each sector, and files are likely to be largely contiguous), then there is achosen plaintext attack which can reveal the existence of encrypted data.
The problem is analogous to that of using block ciphers in theelectronic codebook (ECB) mode, but instead of whole blocks, only the first block in different sectors are identical. The problem can be relatively easily eliminated by making the IVs unpredictable with, for example,ESSIV.[1]
Alternatively, one can use modes of operation specifically designed for disk encryption (seedisk encryption theory). This weakness affected manydisk encryption programs, including older versions ofBestCrypt[2] as well as the now-deprecatedcryptoloop.[3]
To carry out the attack, a specially crafted plaintext file is created for encryption in the system under attack, to "NOP-out" the IV[4]such that the first ciphertext block in two or more sectors is identical. This requires that the input to the cipher (plaintext,,XOR initialisation vector,) for each block must be the same; i.e.,. Thus, we must choose plaintexts, such that.
The ciphertext block patterns generated in this way give away the existence of the file, without any need for the disk to be decrypted first.