From owner-freebsd-hackers@FreeBSD.ORG Thu Mar 3 16:47:49 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A483316A4CE for ; Thu, 3 Mar 2005 16:47:49 +0000 (GMT) Received: from critter.freebsd.dk (f170.freebsd.dk [212.242.86.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id D42CC43D48 for ; Thu, 3 Mar 2005 16:47:46 +0000 (GMT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.13.1/8.13.1) with ESMTP id j23GljcX008838; Thu, 3 Mar 2005 17:47:45 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: tls@rek.tjls.com From: "Poul-Henning Kamp" In-Reply-To: Your message of "Thu, 03 Mar 2005 10:48:47 EST." <20050303154847.GA3454@panix.com> Date: Thu, 03 Mar 2005 17:47:45 +0100 Message-ID: <8837.1109868465@critter.freebsd.dk> Sender: phk@critter.freebsd.dk cc: tech-security@NetBSD.org cc: elric@imrryr.org cc: hackers@freebsd.org cc: crypto@metzdowd.com Subject: Re: FUD about CGD and GBDE X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 16:47:49 -0000 In message <20050303154847.GA3454@panix.com>, Thor Lancelot Simon writes: >No, it would not. What it _would_ take would be an abandonment of the >adamant position that your home-grown cryptosystem is superior to >simply encrypting the disk with 256-bit AES. Where I come from "home-grown" is not derogative. All cryptosystems are by necessity home-grown for somebody somewhere. If you are _convinced_ that there will be no attacks which can exploit the ample data CGD offers for two-way leverage on the crypto algorithm during the relevant lifetime of your data, then stick with CGD and be happy. If like me that makes you quite uneasy, look for something which mitigates that issue, like for instance GBDE. If neither suits you, design your own. >Generally, complexity is not considered a desirable property in >cryptosystems. GBDE violates this rule in spades. There are _reasons_ >why complexity is not good: to begin with, a very complex cryptographic >construct will require detailed analysis (which it does not appear >GBDE has had by anyone but its author until Roland started looking at >it) in order that we may know that it is even as secure as the underlying >algorithmic building blocks it uses. Both Lucky Green and David Wagner has nodded vertical on GBDE. >[crypto sermon] I fully agree with you about the philosophical points, but not on the implications. I can not convince myself that encrypting a 40 GB disk sector by sector using the same key, even if it is 256 bits, is a safe design. You seem to belive otherwise. And that's where it ends. Have a good life. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.