Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 5 Dec 2007 05:26:29 +0000
From:      RW <fbsd06@mlists.homeunix.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: GBDE and GELI security
Message-ID:  <20071205052629.299e6317@gumby.homeunix.com.>
In-Reply-To: <20071205000423.GA78603@demeter.hydra>
References:  <20071205000423.GA78603@demeter.hydra>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 4 Dec 2007 17:04:23 -0700
Chad Perrin <perrin@apotheon.com> wrote:

> I've read reports to the effect that GBDE is vulnerable to online
> dictionary attacks unless two-factor authentication is used.  The only
> such report I can find now is this discussion of NetBSD's CGD, where
> its author contrasts it with GBDE:
> 
>   http://www.onlamp.com/lpt/a/6384
> 
> Is this still the case?  Are there any other security concerns
> related to GBDE's implementation that you might mention?  How well
> does GELI stack up against GBDE?
> 


I think it's this:
 
http://mail-index.netbsd.org/tech-security/2005/03/02/0003.html

I don't know much about the internals of GBDE, but if we take his
description of it at face value, it seems to be fair criticism.

I think it's actually saying that GBDE assumes the user will provide
enough user-key entropy, and doesn't do anything to mitigate the use
of weaker passphrases.
  

Geli uses salt and PKCS #5 so it's pretty much blameless in this area.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071205052629.299e6317>