From owner-freebsd-hackers@FreeBSD.ORG Thu Mar 3 20:43:41 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0D3216A4CE for ; Thu, 3 Mar 2005 20:43:41 +0000 (GMT) Received: from snark.piermont.com (snark.piermont.com [166.84.151.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1B5943D39 for ; Thu, 3 Mar 2005 20:43:40 +0000 (GMT) (envelope-from perry@piermont.com) Received: by snark.piermont.com (Postfix, from userid 1000) id EF175D989A; Thu, 3 Mar 2005 15:43:39 -0500 (EST) To: "ALeine" References: <200503022348.j22Nm48I086259@marlena.vvi.at> From: "Perry E. Metzger" Date: Thu, 03 Mar 2005 15:43:39 -0500 In-Reply-To: <200503022348.j22Nm48I086259@marlena.vvi.at> (aleine@austrosearch.net's message of "Wed, 2 Mar 2005 15:48:04 -0800 (PST)") Message-ID: <873bvcjw90.fsf@snark.piermont.com> User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Fri, 04 Mar 2005 16:36:07 +0000 cc: tech-security@NetBSD.org cc: phk@phk.freebsd.dk cc: hackers@freebsd.org cc: elric@imrryr.org cc: ticso@cicely.de Subject: Re: FUD about CGD and GBDE X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 20:43:42 -0000 "ALeine" writes: >> There is a profession called "cryptographer" out there. They are >> the folks who try out these new ideas, and they fill lots of >> conference proceedings with their new ideas, including things like crypto >> modes designed specifically for disk encryption. > > You are mistaking people who design cryptographic algorithms and those > who design cryptographic systems which integrate those algorithms into > functional systems. No, I am not. PHK invented new cryptographic modes for his work. The fact that he does not understand this is part of the problem. >> People who are members of this profession spend many years >> learning what is and is not likely to work when it comes to various >> cryptographic schemes, and they often learn the hard way that >> most new ideas in cryptography fail under scrutiny. Even the best of them >> are very leery of recommending the use of their own new schemes in >> the real world before they have been heavily reviewed. Even if you >> are Ron Rivest or Don Coppersmith, you make mistakes, and sometimes bad >> ones. > > Would you care to explain what qualifies Roland as a more competent > cyrptographic system designer than PHK? Roland didn't try to do anything that wasn't already heavily understood in the literature. He invented no cryptographic modes. He used only algorithms that have been pre-vetted. He also asked a bunch of people who know better than he does to check his work. Thus, you don't have to trust Roland at all. He didn't invent any new way of using any of the algorithms. You have to trust only the designers of the block cipher you choose to use (I'd suggest AES) and the password algorithm you choose to use (though the PKCS stuff is very good already). In order to permit even greater defense against key cracking, he put in a very standard and straightforward mechanism to permit N factor authentication. >> Were you a cryptographer, and were you proposing, in a >> theoretical way, a new cryptographic mode for doing disk encryption, >> and were you presenting it in a paper at Crypto or some such, well, >> that would be perfectly fine. People could then review it, tear it >> apart (or fail to) etc, and no one would be harmed. > > The papers are there, the code is there, review it, analyze it, talk > about it on TV. Just because it was not done in the way academics > like to do it does not mean it has any less merit. Heck, I would love > to see Erez Zadok's NCryptFS, but the academic process seems to be so > slow that we'll be lucky to see anything before 2006. If PHK took > that road we'd be looking forward to GBDE in FreeBSD 7. Somehow, Roland managed to write CGD without any real trouble. That's because rather than innovating, he used well understood primitives in well understood ways. >> Instead, however, what is happening is that you are implementing >> your ideas, which do not appear to be very well founded in the >> experience the crypto community has gained at great price, and >> they're being tested first on actual users before any peer review >> of your design. > > There is a reason everything happens so slowly in the academic > circles. Everyone is trying to cover their asses and trying so > hard not to be wrong that they analyze everything ad nauseum. No. You Do Not Understand. Cryptography is *brittle*. This has nothing to do with academic sloth. The point is that the best designers routinely have their work smashed to little bits. Are you as good a cryptographer as Ron Rivest? I certainly am not. Somehow, however, MD5 has been crushed anyway. This is not unusual. Cryptographic algorithms are not like sorting algorithms or graph traversal algorithms. When you're doing 3DES, it is not obvious that doing the CBC on the outside instead of between the rounds is critical to good security -- indeed it wasn't obvious even to trained cryptographers. If you aren't as good as Ron Rivest, then why are you expecting to design a new cryptographic mode on your first try without any issues arising? >> WEP was a particularly amusing case, because, like you, its >> designers thought that it was safe to use an existing encryption >> algorithm in ways that they never even realized were new and potentially >> damaging. They didn't understand what they were doing, and so the >> results were very bad. > > WEP relies on RC4 and has a 24-bit IV which means the key stream will > definitely get reused after 5 hours of heavy traffic. WEP is even weaker than its design. That is because its designers did not know what they were doing. Inventing new cryptographic modes is dangerous. >> Let me also mention that everyone who does crypto work hears, at >> intervals, what horrid insular people cryptographers are and how >> little respect they have for "outsiders". Actually, nothing could >> be further from the truth. The crypto community is very open -- but >> it is a meritocracy, and merit is not demonstrated by throwing lots >> of stuff to the wall and seeing what sticks. > > Everyone who has the proper education from one of the elite > universities, knows the right people, has not dared publish > anything seriously relevant to outdo their mentor before he > retires and everyone who dismisses everyone else who does not > have the same pedigree of a proper cryptographer is welcome > to join the crypto community, of course. Anyone can get a paper published at Crypto or Eurocrypt. You need no PhD or other credentials. All you have to do is have something interesting to say. People who are "outsiders" get stuff published. Your claim is baseless. In general, geeks are meritocratic. Crypto people are not unlike other geeks. If you find that crypto people laugh at you, it is probably not because you don't know the right people, but because you put your foot in your mouth and swallowed hard. Perry