# Watermarking attack

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Watermarking_attack
> Markdown URL: https://mediated.wiki/source/Watermarking_attack.md
> Source: https://en.wikipedia.org/wiki/Watermarking_attack
> Source revision: 1211228532
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

{{Short description|Attack on disk encryption methods}}
In cryptography, a '''watermarking attack''' is an attack on [disk encryption](/source/disk_encryption) methods where the presence of a specially crafted piece of data can be detected by an attacker without knowing the encryption [key](/source/key_(cryptography)).

==Problem description==
Disk encryption suites generally operate on data in 512-byte [sector](/source/cylinder-head-sector)s which are individually encrypted and decrypted. These 512-byte sectors alone can use any [block cipher mode of operation](/source/block_cipher_mode_of_operation) (typically [CBC](/source/Cipher_Block_Chaining)), but since arbitrary sectors in the middle of the disk need to be accessible individually, they cannot depend on the contents of their preceding/succeeding sectors. Thus, with CBC, each sector has to have its own [initialization vector](/source/initialization_vector) (IV). If these IVs are predictable by an attacker (and the [filesystem](/source/filesystem) reliably starts file content at the same offset to the start of each sector, and files are likely to be largely contiguous), then there is a [chosen plaintext attack](/source/chosen_plaintext_attack) which can reveal the existence of encrypted data.

The problem is analogous to that of using block ciphers in the [electronic codebook (ECB)](/source/block_cipher_modes_of_operation) mode, but instead of whole blocks, only the first block in different sectors are identical.  The problem can be relatively easily eliminated by making the IVs unpredictable with, for example, [ESSIV](/source/Disk_encryption_theory).<ref>
{{cite web
 | last = Fruhwirth
 | first = Clemens
 | title = Linux hard disk encryption settings
 | url = http://clemens.endorphin.org/LinuxHDEncSettings
 | accessdate = 2006-01-02
}}</ref>

Alternatively, one can use modes of operation specifically designed for disk encryption (see [disk encryption theory](/source/disk_encryption_theory)).  This weakness affected many [disk encryption](/source/disk_encryption) programs, including older versions of [BestCrypt](/source/BestCrypt)<ref name="bestcrypt-iv-flaw">
{{cite web
 | author = Chiriliuc, Adal
 | title = BestCrypt IV generation flaw
 | date = 2003-10-23
 | url = https://ad.al/bc_iv_flaw.html
 | accessdate = 2023-05-21
}}</ref> as well as the now-deprecated [cryptoloop](/source/cryptoloop).<ref>
{{cite web
 | last = Saarinen
 | first = Markku-Juhani O.
 | title = Linux for the Information Smuggler
 | date = 2004-02-19
 | publisher = Helsinki University of Technology
 | citeseerx = 10.1.1.117.4062
 | url = http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.117.4062
 | accessdate = 2006-10-01
}}</ref>

To carry out the attack, a specially crafted plaintext file is created for encryption in the system under attack, to "[NOP-out](/source/NOP_(code))" the IV<ref>
Markus Gattol.
[http://www.markus-gattol.name/ws/dm-crypt_luks.html#redundant_data_may_lead_to_successful_watermarking_attacks "Redundancy, the Watermarking Attack and its Countermeasures"].
</ref>
such that the first ciphertext block in two or more sectors is identical. This requires that the input to the cipher (plaintext, <math>\scriptstyle P</math>, [XOR](/source/XOR) initialisation vector, <math>\scriptstyle IV</math>) for each block must be the same; i.e.,  <math>\scriptstyle P_1 \,\oplus\, IV_1 \;=\; P_2 \,\oplus\, IV_2</math>. Thus, we must choose plaintexts, <math>\scriptstyle P_1,\, P_2</math> such that <math>\scriptstyle P_1 \,\oplus\, P_2 \;=\; IV_1 \,\oplus\, IV_2</math>.

The ciphertext block patterns generated in this way give away the existence of the file, without any need for the disk to be decrypted first.

==See also==

* [Disk encryption theory](/source/Disk_encryption_theory)
* [Initialization vector](/source/Initialization_vector)
* [Block cipher modes of operation](/source/Block_cipher_modes_of_operation)
* [Watermark](/source/Watermark)

==References==
{{Reflist}}

Category:Cryptographic attacks
Category:Disk encryption

---
Adapted from the Wikipedia article [Watermarking attack](https://en.wikipedia.org/wiki/Watermarking_attack) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Watermarking_attack?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.
