eCryptfs

How does eCryptfs recognise the 'special marker' in its files?

Asked by Ted_Smith

Hi Dustin or Tyler

There's an 8 byte special marker at the start of every eCryptfs file (second sequence of 8 bytes). The marker is generated by XOR'ing a randomly generated 4 byte value (X) with another 4 byte static hex value of 0x3c81b7f5 which produces the 8 byte marker itself (Y). So the value 0x3c81b7f5 is never stored, I don't think.

Given that X is randomly generated and Y is the XOR'd result of "X + 0x3c81b7f5" combined, how does the value assure eCryptfs that it is an eCryptfs file? I am confused as the value must surely be effectively random? What does eCryptfs look for?

Thanks

Ted

Question information

Language:
English Edit question
Status:
Solved
For:
eCryptfs Edit question
Assignee:
No assignee Edit question
Solved by:
Ted_Smith
Solved:
Last query:
Last reply:
Revision history for this message
mhalcrow (mhalcrow) said : 		#1

> how does the value assure eCryptfs that it is an eCryptfs file?

It doesn't provide this assurance. It's just pretty unlikely that some non-eCryptfs file (such as a tarball that contains an eCryptfs file) will unintentionally have that value in that location in its header.

Refer to the code that verifies the marker to see how it works:

http://fxr.watson.org/fxr/source/fs/ecryptfs/crypto.c?v=linux-2.6;im=excerpts#L1029

Revision history for this message
Ted_Smith (tedsmith28) said : 		#2

Would that be THE Michael Halcrow replying to me? If so, it's a pleasure. I have read much of your design documents on eCryptfs.

Regarding your reply - I wish I could read C better! I'm afraid I can't make much sense of the code though.

I understand what you mean when you say it doesn't provide that assurance but then again, when you say:

"It's just pretty unlikely that some non-eCryptfs file...will unintentionally have that value in that location in its header." - THE value will be different for every file though, so how does it tell eCryptfs that it's anything to do with eCryptfs if it's more or less totally random? ANy file could have a consecutive series of 8 bytes in the second 8 byte range of it's header, couldn't it? There must be something in that series of 8 bytes that tells eCryptfs "Hey, I'm an eCryptfs file!"?

Any further info would be warmly received.

Revision history for this message
Ted_Smith (tedsmith28) said : 		#3

Think I have sorted it :

Y = 0x3c81b7f5
X = some random value from get_random_bytes function

Z = X ^ Y (also a random value, due to X being random)

Now, X and Z can be read from the file header. If they are then XOR'd together, the following relation holds:

X ^ Z = X ^ (X ^ Y) = Y

So you should end up with the value 0x3c81b7f5.