Date: Thu, 03 Mar 2005 15:12:23 -0500 From: "Perry E. Metzger" <perry@piermont.com> To: "Poul-Henning Kamp" <phk@phk.freebsd.dk> Cc: ticso@cicely.de Subject: Re: FUD about CGD and GBDE Message-ID: <87ekewjxp4.fsf@snark.piermont.com> In-Reply-To: <10479.1109877918@critter.freebsd.dk> (Poul-Henning Kamp's message of "Thu, 03 Mar 2005 20:25:18 %2B0100") References: <10479.1109877918@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
"Poul-Henning Kamp" <phk@phk.freebsd.dk> writes: > In message <87is48k1h2.fsf@snark.piermont.com>, "Perry E. Metzger" writes: >>There is a profession called "cryptographer" out there. They are the >>folks who try out these new ideas, and they fill lots of conference >>proceedings with their new ideas, including things like crypto modes >>designed specifically for disk encryption. > > There is a world out here that's called the IT industry. Yes, there is. They routinely deploy bad security because they don't get people who know what they are doing involved. See WEP, for example, or a thousand other things. > When they badly needed a new password scrambler nobody from that > cryptographic discipline could be bothered with a problem already > long since solved in their academic journals and the task fell to > a more or less random programmer in the end. I have no idea what you're talking about, but if it is the original password hash algorithm in Unix, it was written by Bob Morris Sr., who went on to become one of the top technical guy at the NSA. If you're talking about MD5 which is used in many modern Unixes, it was done by Ron Rivest, and even though he's really good, it has recently been (quite badly) broken. > At the time where I wrote GBDE, the best that was offered was CGD (and > similar) and users (not cryptographers!) didn't trust it and history > have so far repeated. I have no idea what you are talking about here. Can you find me a significant number of users who had CGD available and didn't want to use it? It was only available on NetBSD so far as I know, and it was adopted pretty quickly once it appeared. > I can add another property of the elite society of cryptographers: > if you are not a card carrying member of their society, the majority > of their members can not even be bothered to reply to an email from > an outsider. This does hamper communiation a bit. Actually, you can show up at any crypto conference you like, and you'll likely be taken seriously so long as you know what you're talking about even if the people talking to you have no idea who you are. As with most gatherings of geeks, the only real ticket you need is competence. There are also plenty of places to send email to cryptographers where you will be inundated with replies. If you had forwarded a description of your disk protection work to cryptography@metzdowd.com, you would have gotten plenty of responses. The same is probably true of sci.crypt and lots of other places. > Maybe the problem is that cryptographers, like true computer > scientists, write in nothing less portable than pencil number two ? It is rare to see a new algorithm show up from someone like Ron Rivest without some C code also appearing. That's pretty common in the crypto world. When the Chinese team that cracked a bunch of hash algorithms last summer presented their work, they had worked examples of their stuff. However, how is this relevant? Would you deride your doctor for not programming? Do you write medical diagnostic software without so much as reading a medical journal or talking to a doctor? There is no shame in admitting that there may be other fields than "software engineering" that have valuable information to share with you. > If some card-carrying member of the cryptographic establishment were > to offer the Open Source operating systems an implementation which > were approved by all (or some qualified quorum of) the high priests > of their brother hood, then I am sure that it would be received with > praise and thanks of no end. I think you don't quite get it the point. 1) No one claims that you need to be a cryptographer to write something like GBDE. What is being claimed is that you should not have invented your own cryptographic modes, and that you might have wanted to ask some professionals about your approach. 2) CGD *has* been looked at by a bunch of people, and was written to carefully use standard algorithms in a standard way. If you don't like using NetBSD code because NetBSD people have cooties, fine -- I don't care, write your own. However, you should at least pay the same attention to conservative use of cryptographic algorithms and having people review your work is a good idea, too. 3) You've made some very bizarre claims about the security of your system. Some of these claims have already been shown on their face to be incorrect, such as your claimed work factor for breaking your new "improved" crypto modes. Some of your claims are harder to disprove but none the less seem suspicious. Other comments have been made to the effect that you have ignored certain threat models. Now, when Phil Zimmermann was criticized for inventing Bass-o-Matic for PGP v1 and for otherwise not designing things right, he could have dug in his heels and said "I don't see why I should do anything differently." Instead, he admitted his mistakes and wrote a version 2. Are your users better served by you digging in your heels and saying "GDBE is perfect as it is", or by admitting you are wrong and changing your design? Will you be like Phil Zimmermann or like the guys who peddle snake oil crypto? Your choice how you want to be known -- as someone who admits mistakes, or as someone too proud to ever change his work to fix problems. Perry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87ekewjxp4.fsf>