From owner-freebsd-hackers@FreeBSD.ORG Thu Mar 3 21:41:50 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E582A16A4CE for ; Thu, 3 Mar 2005 21:41:50 +0000 (GMT) Received: from mail2.panix.com (mail2.panix.com [166.84.1.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id B569443D55 for ; Thu, 3 Mar 2005 21:41:50 +0000 (GMT) (envelope-from tls@rek.tjls.com) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail2.panix.com (Postfix) with ESMTP id 0F6D1A704E; Thu, 3 Mar 2005 16:41:50 -0500 (EST) Received: (from tls@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j23Lfoj17272; Thu, 3 Mar 2005 16:41:50 -0500 (EST) Date: Thu, 3 Mar 2005 16:41:50 -0500 From: Thor Lancelot Simon To: Poul-Henning Kamp Message-ID: <20050303214150.GA28836@panix.com> References: <87y8d4ih9b.fsf@snark.piermont.com> <11285.1109884555@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <11285.1109884555@critter.freebsd.dk> User-Agent: Mutt/1.4.2.1i X-Mailman-Approved-At: Fri, 04 Mar 2005 16:36:07 +0000 cc: tech-security@netbsd.org cc: hackers@freebsd.org cc: cryptography@metzdowd.com Subject: Re: FUD about CGD and GBDE X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tls@rek.tjls.com List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 21:41:51 -0000 On Thu, Mar 03, 2005 at 10:15:55PM +0100, Poul-Henning Kamp wrote: > > And if CGD is _so_ officially approved as you say, then I can not > for the life of me understand how it can use the same key to generate > the IV and perform the encryption. At the very least two different > keys should have been used at the "expense" of making the masterkey > 512 bits instead of 256. Why "should" two different keys have been used? It is possible that I misunderstand the underlying theory, but so far as I do understand it the only real requirement for IVs is that the Hamming distance between any two used with the same encryption key be large. Are you concerned about a key recovery attack? If so, can you give an outline of how it would work? -- Thor Lancelot Simon tls@rek.tjls.com "The inconsistency is startling, though admittedly, if consistency is to be abandoned or transcended, there is no problem." - Noam Chomsky