From owner-freebsd-security  Wed May  3 11:39:41 2000
Delivered-To: freebsd-security@freebsd.org
Received: from kobayashi.uits.iupui.edu (kobayashi.uits.iupui.edu [134.68.11.80])
	by hub.freebsd.org (Postfix) with ESMTP id 01BBC37BD00
	for <security@FreeBSD.ORG>; Wed,  3 May 2000 11:39:38 -0700 (PDT)
	(envelope-from ajk@iu.edu)
Received: from localhost (ajk@localhost)
	by kobayashi.uits.iupui.edu (8.9.3/8.9.3) with ESMTP id NAA22578;
	Wed, 3 May 2000 13:39:26 -0500 (EST)
	(envelope-from ajk@iu.edu)
Date: Wed, 3 May 2000 13:39:26 -0500 (EST)
From: "Andrew J. Korty" <ajk@iu.edu>
X-Sender: ajk@kobayashi.uits.iupui.edu
To: Matthew Dillon <dillon@apollo.backplane.com>
Cc: security@FreeBSD.ORG
Subject: Re: Cryptographic dump(8)
In-Reply-To: <200005031718.KAA63329@apollo.backplane.com>
Message-ID: <Pine.BSF.4.21.0005031329440.21805-100000@kobayashi.uits.iupui.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 3 May 2000, Matthew Dillon wrote:

>     Store something like this in the header:
> 
>     [random (16 bytes)][MD5 of entire header including random, not including
>     the MD5 itself]
> 
>     [ .................. entire block is encrypted (entire header, including
>     random and MD5)]
> 
>     Restore would then decrypt the header using the user-supplied key, then
>     MD5 it and compare the MD5 against the decrypted MD5.
> 
>     Storing a random sequence in the header that is MD5'd as well as 
>     encrypted is very important because otherwise someone trying to break
>     the encryption can 'guess' at what the contents of the header was in
>     order to try to reverse-engineer the encryption.

That sounds good, but I should probably leave the very first
header as cleartext.  That way, I can put a flag there to tell
restore whether or not this tape is encrypted or not.

>     Also, putting a random number in each block is important if each block
>     is separately encrypted, for the same reason.

Would it be acceptable to encrypt the header and block together
but each header/block pair separately?  I don't think I have room
to add anything in the block, so maybe I could get that randomness
from what I add to the header (CBC should propagate it a little).

-- 
Andrew J. Korty, Lead Security Engineer
Office of the Vice President for Information Technology
Indiana University




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message