This Q&A how-do-decryption-algorithms-determine-whether-your-attempted-passphrase-is-correct suggest that decryption algorithms which needs to know if a passphrase is correct uses HMAC to validate the correctness of the passphrase.
Therefore, when it's important to be able to inform the user whether a
decryption operation has succeeded in yielding the expected data,
cryptography engineers use Message Authentication Codes.
Hash-based MACs allow a candidate plaintext to be compared against an
authenticated hash value. If the check passes, then we know that it is
the correct plaintext and are then able to notify the user that the
decryption function was successful as intended.
Some info about encfs design :
- There is volume key which is used for encrypting all file names and contents
- A user supplied password is used to decrypt a volume key
The password you provides is used in order to decrypt the volume key.
Technology
Encfs uses algorithms from third-party libraries (OpenSSL is the default) to encrypt data and filenames.
A user supplied password is used to decrypt a volume key, and the volume key is used for encrypting all file names and contents. This
makes it possible to change the password without needing to re-encrypt
all files.
According to this security audit
- EncFS uses the same key for encrypting data and computing MACs
- EncFS uses 64-bit MACs.
- EncFS uses Mac-then-Encrypt
- The purpose of MAC headers is to prevent an attacker with read/write
access to the ciphertext from being able to make changes without being
detected. Unfortunately, this feature provides little security, since
it is controlled by an option in the .encfs6.xml configuration file
Answer to the question in comment, the MAC is being saved as part of each encryped file.
