Some time ago I had a question here about WinRAR security and probably the most common recommendation I came across was to use Veracrypt.
Veracrypt uses XTS, but according to others, XTS encryption is unnecessarily complicated and does not provide such protection to be considered secure enough. (see Thomas Ptacek; Erin Ptacek (2014-04-30). "You Don't Want XTS", or Evaluation of Some Blockcipher Modes of Operation by Phillip Rogaway)
An attacker can predict the plaintext, i.e. he only needs to generate i (128 bit sector index value) and j (sequential numbers of the block inside the sector), which would not be as time-consuming compared to bruteforce.
Especially in combination with flash memory, in my opinion, the risk increases where the media itself may be write-protected, some metadata on the media may be stored repeatedly without users knowing. A lot of this depends on the hardware architecture itself...
e.g. metadata "A" is stored on the medium, and during use, it is overwritten by other metadata "B", "C", "D", and one day the same data as in the past, for example "B", will be written and thus appear on the flash memory two identical ciphertext strings.
If my assumption is correct, at the lowest physical level, 128-bit long strings could be repeatedly written as a result of writing data that was already written to the disk in the past. Because the same plaintext and the same logical location should generate the same ciphertext, a bright attacker might be able to guess what plaintext is hidden behind the repeating ciphertext strings
It would be good to know how exactly the low-level filesystem works and what kind of operations it does on the media in normal and read-only modes.
The Veracrypt documentation explains why to avoid in-place encryption, that's pretty clear. And they generally recommend avoiding media encryption with wear levelling without further explanation. However, the Veracrypt audit from 2020 mentions the transfer of encrypted data on USB as one of the options. Although do not recommend VeraCrypt for sensitive data and people or applications with high-security requirements. Among other things, you can still buy USB with XTS encryption on the market.
- Do you think some attacks like this are feasible?
- How much is flash media vulnerable in case that in-place encryption isn't applied and any data weren't previously stored on them?