20.10 cryptsetup suddenly fails to open luks: Cannot use twofish-ecb cipher for keyslot encryption

since the recent update from 20.04 to 20.10 cryptsetup fails to open luks container.

Message is:

Cannot use twofish-ecb cipher for keyslot encryption. Keyslot open
failed. No usable keyslot is available.

  • I was able to open and edit the luks container under Ubuntu 20.04.
  • Only fails since the upgrade.
  • I can still open and edit the luks container under Fedora. Data is still available under Fedora and the luks container itself is fine.

isLuks

is positive,

cryptsetup -v luksDump /dev/sdx3

brings the expected results, perfect.

issue:

sudo cryptsetup luksOpen /dev/sdx3 luks-61(…)51

successfully requests and accepts passphrase then
fails with

Cannot use twofish-ecb cipher for keyslot encryption.
Keyslot open failed.
No usable keyslot is available.

Subsequently /dev/mapper does not show this luks mapping while still working fine for the other luks mappings.

Only special thing about /dev/sdx is: it is a btrfs disk. Working fine with Ubuntu, Fedora, Suse until the upgrade.

Used to work fine under Ubuntu 20.04 (until the reboot after upgrade to 20.10).

Version with U20.10: cryptsetup 2.3.3

Why does it fail under Ubuntu 20.10?
What can I do to fix it?

Payload Encryption Design for the Web application with Spring Boot Backend

We are working on designing the solution for financial institution as a product,which comprises of Different application [channel] ex Andorid, Web Portal

  • Wrt to the web portal, we thought of going with Spring Security Auth Server [ ouath2 + open id cconnect]
    and there are uses cases [ Sso Inbound, sso outbound, Sso between products internal applications ]

With all this mind

  1. Key Cloak was ironed out for OIDC and OAUTH2 + SSO Integration

Doubt

  • Lets a say web application [ Angular + HTML5+ css] interacts with backend REST / Normal webservice in json
  • Security team recommended [ Message Security] that whatever sent from browser to server and server back to browser should be encrypted [ TLS alone not enough]
  • Security team tested in Burrp suite and indicated, Privacy fields are going in clear and visible so encryption is required for stateless services

HOw to achieve for web portal , Android application as general.

encryption – Cracking Viginere Ciphers using same-length key used twice

Assuming I had two ciphertexts which were encrypted using the same key that has the same length with the ciphertexts. (However the keys didn’t have any repetitions or features that would assist in frequency analysis).

Apart from the crib dragging technique (which I didn’t have much success in), are there any other techniques I can use to possibly crack these ciphertexts?

Multi signature encryption (multiple people can decrypt)

I understand that multi sig transactions exist so that X of N need to sign to release a transaction. If only 1 of N is required I guess any of the recipients can spend.

This made me wonder, is it possible to encrypt something, so that any one of a set of people can decrypt the data?

I suppose the data could be in the exponent or something, but also possibly going beyond bitcoin, would it be possible to do this with multiple Mb worth of data (stored off chain in this case)? I guess it would require some sort of script that means conditions have to be met to decrypt the data.

why is it possible to bypass android full disk encryption?

if you look up how to bypass the android lock screen, there seems to be endless examples.

  1. plug the phone into your pc, use adb android debugging tools, disable the lock screen
  2. forgot password option can get some recovery code sent to your email
  3. “Emergency Call trick” was a bug in specific versions of android that crashed the lock screen and let you into an encrypted device. how???
  4. etc

i’m sure there’s limitations to those examples, but still, none of this is possible at all if the drive was actually encrypted. what’s going on? i’m very confused. how do i encrypt my android device so it’s actually encrypted and worthless without the key????

encryption – MSK from IEEE 802.1X-2010 – What it is?

IEEE 802.1X-2010 states:

“Generate an MSK of at least 64 octets, as required by IETF RFC 3748
(B14) Section 7.10, of which the first 16 or 32 octets are used by
this standard as described in 6.2.2.”

RFC3748 states:

“EAP method supporting key derivation MUST export a Master Session Key
(MSK) of at least 64 octets”

But I cannot find anywhere definition – how to get/derive MSK?

encryption – Does compression level influence security of encryted 7z files?

I want to archive some GB of sensitive data. It is to be stored on an external drive that also includes non sensitive data so i don’t want to encrypt the whole drive. For that purpose i want to use 7zip and the 7z file format with AES-256 encryption and a long (16+ character) password.

Since most of the data to be encrypted is already compressed or a compression would not do much (for example videos) and disk space is not a problem i want to choose “Store” as compression level to speed up archive creation.

I don’t know much about the technical side of encryption but from what i found compression does not influence encryption, so choosing a higher compression level would not have any influence (positive or negative) on file security.

My question is wether this is correct or does it indeed have an influence?

encryption – how does filevault get the key to unlock an encrypted drive?

I an trying to understand how FileVault (specifically the later version used in recent macOS releases, i.e. FileVault 2) stores and retrieves its encryption key.

This is prompted by two specific questions/observations:

  1. When you boot up a device with FileVault enabled, it goes to your login screen and shows your username, and a place to enter a password. When you do log in, it is extremely quick. This implies the disk already was decrypted. Assuming that the encryption key somehow was derived from your passphrase, this should be impossible, as you have not yet entered it.
  2. If you create an alternate OS install, e.g. another copy of the latest (Catalina) or a beta (Big Sur), in another APFS volume, you can encrypt it. Assuming you want similar convenient behaviour, the encryption key you provide should be related to whatever encryption key is used for your other volumes. Of course, it is possible that the read-only OS volume is not encrypted and only the read-write Data volume is encrypted, but that is not what appears in the various utilities.

encryption – Block cipher exercise CTR, CBC and ECB

I’m trying to figure out this exercise about CTR, CBC and ECB

given Encryption Matrix

(29->0, 11->1, 26->2, 1->3, 21->4, 4->5, 15->6, 31->7, 27->8, 28->9, 2->10, 14->11, 8->12, 20->13, 9->14, 5->15, 0->16, 22->17, 7->18, 10->19, 3->20, 6->21, 25->22, 17->23, 24->24, 23->25, 19->26, 18->27, 16->28, 12->29, 13->30, 30->31)

0 encyrpts to 29, i.e. E(K, 0) = 29, 3 maps to 20. To decrypt read backwards, so 29 goes to 0 and 30 to 31. in notation: D(K, 30) = 31.

Hints:

· Plaintexts are 6 letter german words.

· Blocklenght = 5.

· You must convert decimal to 5 bit binary to XOR in CBC and CTR Mode example: 11_10 XOR 17_10 = 01011_2 XOR 10001_2 = 11010_2 = 26_10.

Code table:Code table

ECB-Ciphertext: (25, 29, 14, 14, 10, 21)
P_i=D(K,C_i)

CBC-Ciphertext (IV=0):(29, 16, 18, 7, 10, 23)

C_0 := IV

C_i=E(K,P_i XOR C_i-1)

P_i=C_i-1 XOR D(K,C_i)

CTR-Ciphertext (IV=0):(25, 14, 10, 23, 16, 29)

P_i=C_i XOR E(K,IV+i mod 2^blocksize)

I only get false results these are no german words

ECB Wallte

CBC abldut

CTR efqwfz