Date: Fri, 4 Mar 2005 16:20:56 +0100 From: Joerg Sonnenberger <joerg@britannica.bec.de> To: hackers@freebsd.org Subject: Re: FUD about CGD and GBDE Message-ID: <20050304152056.GB1539@britannica.bec.de> In-Reply-To: <20050303225849.0E7143700F@arioch.imrryr.org> References: <200503030217.j232HAGG088987@marlena.vvi.at> <20050303225849.0E7143700F@arioch.imrryr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 03, 2005 at 05:58:49PM -0500, Roland Dowdeswell wrote:
> Disklabels for example have a checksum. The checksum might not be
> terribly strong, but the chance that two different valid disklabels
> could even be decrypted with different keys is small, I would
> imagine. The checksum takes off 2^32 seemingly valid disklabels
> and what about the rest of the fields? There's lots of redundant
> information in there that could be cross referenced.
Actually this is the argument from PHK which I consider bogus and
which makes the claims about the secure of GBDE bogus as well.
I do believe that GBDE is stronger than CGD when both use the same
algorithms, simple because there is more work to extract the
interesting data from GBDE (more keys to crack).
The whole argument of PHK why GBDE is so much stronger is based on the estimated
number of collisions in the detection of likely good plain texts. As you
mentioned, certain key structures of the disc indeed have a very high
structure. As far as I know, tests for the distribution of the inverse
encryption [ AES^{-1}{key} data ] are not very common, with the exception
of known or choosen plaintext where input and output are known.
IMO it would be a potential attack verctor as well, if you have a large
number of such collisions, since that would mean the structure of the input
is reflected in the structure of the output.
Just to start with the claim of 2^384 (as random number) for a brute
force attack and an average number of 17 sectors to decode until
getting to the interesting data, we get sqrt^{17}{2^256} ~= 34131
collisions. Without a backing theory, I don't trust that number at all.
I have no reason to believe that any but the correct key passes the
test for a super block or whatever data structure there is. Not for a
key length of 128 bit (or 256 bit for that matter). Situation changes
with higher key length of course.
Joerg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050304152056.GB1539>