From owner-freebsd-hackers@FreeBSD.ORG Thu Mar 3 23:40:33 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CEA216A4DB for ; Thu, 3 Mar 2005 23:40:33 +0000 (GMT) Received: from snark.piermont.com (snark.piermont.com [166.84.151.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id D000A43D54 for ; Thu, 3 Mar 2005 23:40:31 +0000 (GMT) (envelope-from perry@piermont.com) Received: by snark.piermont.com (Postfix, from userid 1000) id 083A3D988C; Thu, 3 Mar 2005 18:40:31 -0500 (EST) To: "ALeine" References: <200503030155.j231to9f088685@marlena.vvi.at> From: "Perry E. Metzger" Date: Thu, 03 Mar 2005 18:40:30 -0500 In-Reply-To: <200503030155.j231to9f088685@marlena.vvi.at> (aleine@austrosearch.net's message of "Wed, 2 Mar 2005 17:55:50 -0800 (PST)") Message-ID: <87d5ugi9ht.fsf@snark.piermont.com> User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Fri, 04 Mar 2005 16:36:07 +0000 cc: tech-security@NetBSD.org cc: phk@phk.freebsd.dk cc: hackers@freebsd.org cc: elric@imrryr.org cc: ticso@cicely.de Subject: Re: FUD about CGD and GBDE X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 23:40:35 -0000 "ALeine" writes: > perry@piermont.com wrote: >> > You are mistaking people who design cryptographic algorithms >> > and those who design cryptographic systems which integrate those >> > algorithms into functional systems. >> >> No, I am not. PHK invented new cryptographic modes for his work. >> The fact that he does not understand this is part of the problem. > > He designed GBDE to always be harder than and never easier > to break than the cryptographic algorithms it relies on. I have no doubt that was the intent. The question is, did he achieve it? >> > Would you care to explain what qualifies Roland as a more >> > competent cyrptographic system designer than PHK? >> >> Roland didn't try to do anything that wasn't already heavily >> understood in the literature. He invented no cryptographic modes. >> He used only algorithms that have been pre-vetted. He also asked a >> bunch of people who know better than he does to check his work. >> >> Thus, you don't have to trust Roland at all. He didn't invent any >> new way of using any of the algorithms. You have to trust only the >> designers of the block cipher you choose to use (I'd suggest AES) >> and the password algorithm you choose to use (though the PKCS stuff >> is very good already). In order to permit even greater defense >> against key cracking, he put in a very standard and straightforward >> mechanism to permit N factor authentication. > > MD5 was believed to be heavily understood in literature. It was > well established. Look at what happened to it. Yup. And Roland made the algorithm you use for encrypting your disk *pluggable*. That way, if AES is broken, you can replace it with the next big thing and move on with your life. Now, if AES is indeed broken, GBDE is in serious trouble, but CGD is not. Specific users of CGD have to change their drives, but the framework continues to work as advertised. > The fact that Roland did not invent any new ways of using algorithms > does not mean that CGD is more secure. It does, however, mean right from the get-go that the standard analysis you use for looking at this works right out of the box. You don't have to invent anything new to figure out if it works right. > In fact, IMHO it is less secure because it uses > the same key for the entire disk and because it reuses the same key > for IV generation and encryption. Do you know enough about cryptography to have an opinion, humble or not? For example, if I handed you something encrypted in a polyalphabetic cipher and asked you to tell me the key length, off the top of your hand would you know how to use the index of coincidence to do that? If I asked you to explain the difference between the security of inner and outer CBC 3DES, could you tell me? Could you explain what a characteristic is and how it is used in differential cryptanalysis? I'm not saying, by the way, that you should take my opinion or anyone else's as gospel. Argument from authority is worthless. At crypto conferences you will find differing opinions -- merely understanding crypto doesn't mean you are right. You should learn enough to form your own opinion. However, that implies that you must first learn enough that you have a basis on which to form it. If you don't know anything about medicine, do you have any good basis for telling your anesthesiologist to use a different drug in your surgery? So you say that to you, using one key for the entire disk is a bad idea. Very good. On what basis do you say this? Now it *is* true that you shouldn't use a key for too much data, and we have some ways these days of calculating how much data "too much" is. Do you understand how that calculation is performed? > You have to trust Roland to integrate the well known and understood > algorithms in a correct way, trusting the algorithms alone is not > enough. His code did indeed have some bugs to begin with. It was reviewed and they were fixed. > I am not designing cryptographic algorithms, what PHK did with > GBDE cannot be compared to inventing MD5, snap out of it, you > are starting to sound like a broken record. But the problem is that he crossed a line, so it *can* be compared to things like inventing MD5. He isn't merely using existing algorithms in well known ways. He is, in fact, using algorithms in modes that they having been used in before and making very very specific claims of work factors to break these new modes. >> WEP is even weaker than its design. That is because its designers >> did not know what they were doing. > > I assure you PHK knows very well what he is doing I've read his paper. I must respectfully disagree. > and I think you should not mention his name in the same breath along > with the names of the designers of WEP. The comparison seems to be perfectly apt -- people competent in one field assuming that another very complicated field is trivial, and extending their work into that other field, in which they are no longer competent. >> Inventing new cryptographic modes is dangerous. > > Living is dangerous, today you are here, tomorrow you might get > hit by a bus. But that does not mean you will stay inside your > house where you are safe (at least from buses) forever, does it? It does mean that if I invented a new mode for using a set of ciphers, I would first send them to a bunch of crypto geeks to vet, then I would write a detailed paper, and after a couple of years I might consider actually using it in the real world. Perry