From owner-freebsd-hackers@FreeBSD.ORG Thu Mar 3 20:28:26 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD84716A4CE for ; Thu, 3 Mar 2005 20:28:26 +0000 (GMT) Received: from marlena.vvi.at (marlena.vvi.at [208.252.225.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53B3C43D55 for ; Thu, 3 Mar 2005 20:28:26 +0000 (GMT) (envelope-from www@marlena.vvi.at) Received: from marlena.vvi.at (localhost.marlena.vvi.at [127.0.0.1]) by marlena.vvi.at (8.12.10/8.12.9) with ESMTP id j230XMoH086980; Wed, 2 Mar 2005 16:33:24 -0800 (PST) (envelope-from www@marlena.vvi.at) Received: (from www@localhost) by marlena.vvi.at (8.12.10/8.12.10/Submit) id j230XG4G086979; Wed, 2 Mar 2005 16:33:16 -0800 (PST) (envelope-from www) Date: Wed, 2 Mar 2005 16:33:16 -0800 (PST) Message-Id: <200503030033.j230XG4G086979@marlena.vvi.at> To: elric@imrryr.org From: "ALeine" cc: tech-security@NetBSD.org cc: phk@phk.freebsd.dk cc: hackers@freebsd.org cc: tls@rek.tjls.com cc: crypto@metzdowd.com Subject: Re: FUD about CGD and GBDE X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 20:28:26 -0000 I must have missed this one before. elric@imrryr.org wrote: > Most of this started when I disputed some of the wild claims that > PHK has made about the security of GBDE. You have not disputed them, you have only confirmed the strengths of GBDE and exposed the issue of atomic writes. > Let me restate: > > In: > > http://www.bsdcan.org/2004/papers/gbde.pdf > > The claim is made that there is at least O(2^256) work to crack a > disk and O(2^384) to crack the disk if the lock sectors are > destroyed. Have you read PHK's paper located at: http://phk.freebsd.dk/pubs/bsdcon-03.gbde.paper.pdf > I do not believe that I need any credibility whatsoever to call > shenanigans on these outrageous claims. > > It is _plainly_obvious_ that if you encrypt 2^30 sectors each > with a different 128 bit key then there are at most 2^158 different > ways to decrypt the entire disk. Period. You need 2^128 steps to break the encryption of a single sector. But you have no idea which of the 2^128 sectors is the right one, so you store all of the 2^128 * 512 = 2^137 bytes. Right, which movie is this from? Imagine that you could do the same with the next sector... And you do this for 2^30 sectors and then figure out which of the 2^128^(2^30) sector variations is the right one? This is the worst case scenario for an attacker and it obviously is beyond anyone's dreams. You have to resort to attacking GBDE using knowledge about how it does encryption if you want to have any kind of realistic chance of breaking it. In the paper I mentioned PHK analyzed the attack vectors and what kind of threat each one of them represents. You act as if you could just brute force GBDE automatically. It cannot happen. ALeine ___________________________________________________________________ WebMail FREE http://mail.austrosearch.net