From owner-freebsd-hackers@FreeBSD.ORG  Thu Mar  3 21:45:36 2005
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4BAEE16A4CE
	for <hackers@freebsd.org>; Thu,  3 Mar 2005 21:45:36 +0000 (GMT)
Received: from critter.freebsd.dk (f170.freebsd.dk [212.242.86.170])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8332143D1F
	for <hackers@freebsd.org>; Thu,  3 Mar 2005 21:45:35 +0000 (GMT)
	(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.13.1/8.13.1) with ESMTP id j23LjYsk011488;
	Thu, 3 Mar 2005 22:45:34 +0100 (CET)
	(envelope-from phk@critter.freebsd.dk)
To: Todd Vierling <tv@duh.org>
From: "Poul-Henning Kamp" <phk@phk.freebsd.dk>
In-Reply-To: Your message of "Thu, 03 Mar 2005 16:34:24 EST."
             <Pine.NEB.4.62.0503031625170.12890@server.duh.org> 
Date: Thu, 03 Mar 2005 22:45:34 +0100
Message-ID: <11487.1109886334@critter.freebsd.dk>
Sender: phk@critter.freebsd.dk
cc: ALeine <aleine@austrosearch.net>
cc: elric@imrryr.org
cc: "Perry E. Metzger" <perry@piermont.com>
cc: hackers@freebsd.org
cc: tech-security@NetBSD.org
cc: ticso@cicely.de
Subject: Re: FUD about CGD and GBDE 
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2005 21:45:36 -0000

In message <Pine.NEB.4.62.0503031625170.12890@server.duh.org>, Todd Vierling writes:
>On Thu, 3 Mar 2005, Poul-Henning Kamp wrote:
>
>> And if CGD is _so_ officially approved as you say, then I can not
>> for the life of me understand how it can use the same key to generate
>> the IV and perform the encryption.  At the very least two different
>> keys should have been used at the "expense" of making the masterkey
>> 512 bits instead of 256.
>
>Technically, two different keys are used.  The IV is generated from the
>block number (although it's pluggable for other IV generation methods,
>should one be desired; take a look!).

As I read it, he encrypts the block number using the key to get the IV
which he then uses with the key to encrypt the data.

Since the attacker know the block number the IV generation doesn't
add strength.

In fact expose any weakness in the algorithm even more because it
offers two-way leverage on the algorithm.

It also adds a very efficient hit-detector for a brute force attack.

It would have been much better to use a different key to generate the IV.

And did he salt the block number at all ?  I don't think so...


-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.