From owner-freebsd-hackers@FreeBSD.ORG Thu Mar 3 18:38:05 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B69E516A4CE for ; Thu, 3 Mar 2005 18:38:05 +0000 (GMT) Received: from arioch.imrryr.org (arioch.imrryr.org [216.254.67.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35A8F43D39 for ; Thu, 3 Mar 2005 18:38:05 +0000 (GMT) (envelope-from elric@imrryr.org) Received: from imrryr.org (localhost [127.0.0.1]) by arioch.imrryr.org (Postfix) with ESMTP id DAD403700F; Thu, 3 Mar 2005 13:37:46 -0500 (EST) To: "ALeine" In-reply-to: Your message of "Wed, 02 Mar 2005 13:52:19 PST." <200503022152.j22LqJTw084488@marlena.vvi.at> Organization: The Fall of Imrryr User-Agent: nmh-1.0.4 (NetBSD/alpha) X-Copyright: Copyright 2004, R. C. Dowdeswell. All Rights Reserved. X-Window-System: Release 6.3 Date: Thu, 03 Mar 2005 13:37:46 -0500 From: Roland Dowdeswell Message-Id: <20050303183746.DAD403700F@arioch.imrryr.org> cc: tech-security@NetBSD.org cc: phk@phk.freebsd.dk cc: hackers@freebsd.org cc: tls@rek.tjls.com cc: crypto@metzdowd.com Subject: Re: FUD about CGD and GBDE X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 18:38:05 -0000 On 1109800339 seconds since the Beginning of the UNIX epoch "ALeine" wrote: > >> Both Lucky Green and David Wagner has nodded vertical on GBDE. > >I trust the professional opinions of both Lucky Green and David Wagner >at least an order of magnitute more than that of Roland Dowdeswell, >especially after this discussion. Most of this started when I disputed some of the wild claims that PHK has made about the security of GBDE. Let me restate: In: http://www.bsdcan.org/2004/papers/gbde.pdf The claim is made that there is at least O(2^256) work to crack a disk and O(2^384) to crack the disk if the lock sectors are destroyed. I do not believe that I need any credibility whatsoever to call shenanigans on these outrageous claims. It is _plainly_obvious_ that if you encrypt 2^30 sectors each with a different 128 bit key then there are at most 2^158 different ways to decrypt the entire disk. Period. PHK then says that it might be difficult to detect whether you got a hit on any individual sector. Well, if we are to believe the O(2^384) claim, then we must assume that the amount of work to verify one of the 2^158 different possibilities is 2^{384 - 158} = 2^226 So, verifying that you have correctly decrypted the disk is now suddenly almost as hard as cracking 256 bit AES? I can't quite bring myself to believe that. This has made me rather suspicious of many other claims that have been floating around w.r.t. GBDE. -- Roland Dowdeswell http://www.Imrryr.ORG/~elric/