From owner-freebsd-security  Wed May  3 15:21: 6 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mtiwmhc21.worldnet.att.net (mtiwmhc21.worldnet.att.net [204.127.131.46])
	by hub.freebsd.org (Postfix) with ESMTP id 5905C37B506
	for <freebsd-security@freebsd.org>; Wed,  3 May 2000 15:21:03 -0700 (PDT)
	(envelope-from shalunov@att.net)
Received: from sharik.worldnet.att.net ([12.68.38.74])
          by mtiwmhc21.worldnet.att.net
          (InterMail vM.4.01.02.39 201-229-119-122) with ESMTP
          id <20000503222101.JZXG1339.mtiwmhc21.worldnet.att.net@sharik.worldnet.att.net>;
          Wed, 3 May 2000 22:21:01 +0000
Received: (from shalunov@localhost)
	by sharik.worldnet.att.net (8.9.2/8.9.2) id SAA00803;
	Wed, 3 May 2000 18:21:01 -0400 (EDT)
	(envelope-from shalunov)
To: Matthew Dillon <dillon@apollo.backplane.com>
Cc: freebsd-security@freebsd.org
Subject: Re: Cryptographic dump(8)
References: <Pine.BSF.4.21.0005031019190.21805-100000@kobayashi.uits.iupui.edu> <200005031718.KAA63329@apollo.backplane.com>
From: stanislav shalunov <shalunov@att.com>
Date: 03 May 2000 18:21:00 -0400
In-Reply-To: Matthew Dillon's message of "Wed, 3 May 2000 10:18:40 -0700 (PDT)"
Message-ID: <87snvz46nn.fsf@sharik.worldnet.att.net>
Lines: 33
X-Mailer: Gnus v5.5/Emacs 20.3
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Matthew Dillon <dillon@apollo.backplane.com> writes:

>     [random (16 bytes)][MD5 of entire header including random, not including
>     the MD5 itself]
>     [ .................. entire block is encrypted (entire header, including
>     random and MD5)]
> 
>     Restore would then decrypt the header using the user-supplied key, then
>     MD5 it and compare the MD5 against the decrypted MD5.

Doesn't this seem too complex?  Storing MD5 of the cleartext header as
first two blocks is enough (and somewhat guards you against poor
choice of IV, too; poor choice of IV isn't catastrophic with CBC).

Mallory still can modify tape in the middle and you won't notice it.
If you're happy with two passes for restore, you could put MD5 of the
entire tape in the end.

>     Also, putting a random number in each block is important if each block
>     is separately encrypted, for the same reason.

I'm afraid you've either missed the fact that he uses CBC, or might be
missing the implications of this.  How much random data do you want to
put into an 8-byte block, anyway?

>     Using /dev/random to obtain your random numbers is considered to be 
>     acceptable.

The bandwidth of /dev/random is far too small even on busiest machines
to provide (unnecessary) random data for each block.

-- 
stanislav shalunov				| Speaking only for myself.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message