Date: Thu, 03 Mar 2005 17:58:49 -0500 From: Roland Dowdeswell <elric@imrryr.org> To: "ALeine" <aleine@austrosearch.net> Cc: ticso@cicely.de Subject: Re: FUD about CGD and GBDE Message-ID: <20050303225849.0E7143700F@arioch.imrryr.org> In-Reply-To: Your message of "Wed, 02 Mar 2005 18:17:10 PST." <200503030217.j232HAGG088987@marlena.vvi.at>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1109816230 seconds since the Beginning of the UNIX epoch "ALeine" wrote: > >No, you are wrong. > > 2^128*2^30 = 2^158 > >We are actually dealing with: > > (2^128)^(2^30) = 2^(128*2^30) = 2^(2^37) = 2^137438953472 > ^--- notice the minor difference It is a serial attack that is: for (i=0; i < n; i++) { crack the i'th key--key block; } So it is actually where $n$ is the number of key--key sectors: n ------- \ \ 128 128 > 2 = n 2 / / -------- i = 0 (sorry about the bad ascii art, there, but I thought that would be the best way to draw it.) So, for a disk with 2^30 key--key sectors it would be 2^30 * 2^128 = 2^158 I realise that PHK has been claiming that you might get false positives, and that you somehow have to maintain a matrix of past this and that. It is a lot simpler than this really. For each key--key sector you are brute forcing, there are 2^128 different keys to try. Now, the key--key sector protects 32 disk sectors which contain 32 * 512 * 8 = 131072 bits. That means that there are 2^131072 possibilities for what can be in those 32 sectors. So, I think that we can see where I am going here? There will not be very many false positives when you are brute forcing. It is quite unlikely that there even exists an AES128 key which would produce one. Depending on how many bits of the 32 sectors are being used, the probability could be as low as 1 -------- 2^130944 Which is a very small number indeed. Now, granted not the entirety of the 32 sectors will be recognisable, or necessarily even used---but a fair percentage will. Enough to come up with numbers that may not be so astronomically small, are still staggeringly small---a staggeringly small possibility that such a false positive generating key actually exists at all. Disklabels for example have a checksum. The checksum might not be terribly strong, but the chance that two different valid disklabels could even be decrypted with different keys is small, I would imagine. The checksum takes off 2^32 seemingly valid disklabels and what about the rest of the fields? There's lots of redundant information in there that could be cross referenced. The examples abound. Disks are very well structured and so are the files on them. So, I think that considering that you are cracking 16KB at a time there will not be terribly many false positives to find. You will not have to write a lot of machinery to detect them. -- Roland Dowdeswell http://www.Imrryr.ORG/~elric/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050303225849.0E7143700F>