From owner-freebsd-hackers@FreeBSD.ORG Thu Mar 3 23:22:28 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24E9D16A4CF for ; Thu, 3 Mar 2005 23:22:28 +0000 (GMT) Received: from snark.piermont.com (snark.piermont.com [166.84.151.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6195E43D31 for ; Thu, 3 Mar 2005 23:22:27 +0000 (GMT) (envelope-from perry@piermont.com) Received: by snark.piermont.com (Postfix, from userid 1000) id B0CB3D9877; Thu, 3 Mar 2005 18:22:26 -0500 (EST) To: "Poul-Henning Kamp" References: <11285.1109884555@critter.freebsd.dk> From: "Perry E. Metzger" Date: Thu, 03 Mar 2005 18:22:26 -0500 In-Reply-To: <11285.1109884555@critter.freebsd.dk> (Poul-Henning Kamp's message of "Thu, 03 Mar 2005 22:15:55 +0100") Message-ID: <87hdjsiabx.fsf@snark.piermont.com> User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Fri, 04 Mar 2005 16:36:07 +0000 cc: ALeine cc: elric@imrryr.org cc: Todd Vierling cc: hackers@freebsd.org cc: tech-security@NetBSD.org cc: ticso@cicely.de Subject: Re: FUD about CGD and GBDE X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 23:22:28 -0000 "Poul-Henning Kamp" writes: >>I think we've already established that this fear, though >>understandable, is not a reasonable one under the circumstances. See >>several postings already made. You are better off just using AES with >>a longer key than the GBDE mechanism. > > I'm sorry, I reached the exact opposite conclusion. > > The work that was referred to earlier of defactorizing AES into a > very large number of equations would be exactly the kind of attack > I would worry about if I have 80 million sectors with the same key. That attack was shown to be bogus. It is highly unlikely that any such attack will ever show up, given the structure of AES. I would not be shocked if an attack on AES *did* show up, but it would likely not be of this sort, and it would likely make no difference in that context whether you encrypt the whole disk with one key or not even if such an attack appeared. > If that attack comes through, but relies on some partiular bit > combination being present on the plaintext or ciphertext of the > algoritm, I see no reason why I would want to improve the attackers > odds by a factor of 80 million. Again, it would do no such thing even if the bogus attack was real. > And if CGD is _so_ officially approved as you say, then I can not > for the life of me understand how it can use the same key to generate > the IV and perform the encryption. The IV doesn't matter. So long as the IV is different for each block you are fine. Any function that produces a decent shuffle would be acceptable. (Well, not quite *any*. For various reasons you may want the hamming distance between successive IVs to be large on average, but this achieves that.) -- Perry E. Metzger perry@piermont.com