But how does the encryption work? The encrypted cttest sample has a period of 24 bytes, but the plain text has six bytes. Six is a factor of 24. Taking into consideration that the word sizes in block-based encryption tend to be powers of two, a word size of eight bytes – 64 bits – becomes likely, because 24 is both three times eight and four times six. This results in the following substitution table:
0000000000000000 -> 0000000000000000
6374746573746374 -> 5cf0d85c5cf44cb3
7465737463747465 -> d85c5cf45cf0de12
7374637474657374 -> 5cf45cf0d85c5cb3
Using another series with different test blocks we're able to find out that the encoding is independent of the block number, the position within the block and the PIN used. We are, therefore, dealing with a function that takes the aggregate of 64-bit words and maps it onto itself in some scrambled way. Like its inverse function, the decryption, this function needs a one-to-one relation to avoid data jumbles.
If the substitution table had been thrown together randomly apart from the zero, this would still produce a reasonably useful encryption, but the entire table would be so large that all the storage available to humanity would barely be sufficient for saving it, let alone the space on such a small controller. Therefore, there must be a mathematical function that fully describes the encryption function, as well as the corresponding inverse function for decryption.
A little brainstorming in the editorial office hatches the crucial idea: The encryption mechanism could be a simple linear function of the form
y = A · x
with 64 bits (for mathematicians: in 64 dimensions). Solved for x we arrive at the following decryption function:
x = A-1 · y
Most people probably still remember these functions from school as describing straight lines, only that in this case A is not a real number for the slope and A-1 its reciprocal value, but they are a binary 64×64 matrix and its inverse matrix instead. Therefore, all that's required for cracking the encryption is that we figure out the matrix A-1, because this matrix can be used for converting any encoded text into plain text.
The best thing about this is that the controller almost presents this decryption matrix on a silver platter, because it decrypts data that is written directly to the SATA disk when the data is read via the enclosure's interface. To put it simply, if the matrix equivalent of a one is written to the SATA disk, the decryption matrix can be read out via the drive's enclosure.
Identity matrix
A little linear algebra is required for implementing this in practice. In matrix multiplication, identity matrices take on the role of the one as neutral element of the multiplication. They only contain ones on their main diagonal and have zeros everywhere else. For an 8-bit linear function, the identity matrix looks like this (the brackets contain the 8-bit row values in hex format):
00000001 (0x01)
00000010 (0x02)
00000100 (0x04)
00001000 (0x08)
00010000 (0x10)
00100000 (0x20)
01000000 (0x40)
10000000 (0x80)
We need to send this identity matrix through the decryption function row by row to obtain the rows of the matrix A-1 we are looking for. If the encryption function works with bytes (8-bit words), the byte sequence to be decoded is 01 02 04 08 10 20 40 80. Assuming a result of 42 01 0E 04 40 91 20 55, the matrix we are looking for is:
01000010 (0x42)
00000001 (0x01)
00001110 (0x0E)
00000100 (0x04)
01000000 (0x40)
10010001 (0x91)
00100000 (0x20)
01010101 (0x55)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
