From owner-freebsd-hackers@FreeBSD.ORG Fri Mar 4 23:13:06 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A18FF16A4CE for ; Fri, 4 Mar 2005 23:13:06 +0000 (GMT) Received: from marlena.vvi.at (marlena.vvi.at [208.252.225.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B62143D5E for ; Fri, 4 Mar 2005 23:13:04 +0000 (GMT) (envelope-from www@marlena.vvi.at) Received: from marlena.vvi.at (localhost.marlena.vvi.at [127.0.0.1]) by marlena.vvi.at (8.12.10/8.12.9) with ESMTP id j243HxoH016009; Thu, 3 Mar 2005 19:18:01 -0800 (PST) (envelope-from www@marlena.vvi.at) Received: (from www@localhost) by marlena.vvi.at (8.12.10/8.12.10/Submit) id j243HrZ2016007; Thu, 3 Mar 2005 19:17:53 -0800 (PST) (envelope-from www) Date: Thu, 3 Mar 2005 19:17:53 -0800 (PST) Message-Id: <200503040317.j243HrZ2016007@marlena.vvi.at> To: elric@imrryr.org From: "ALeine" cc: briggs@netbsd.org cc: perry@piermont.com cc: phk@phk.freebsd.dk cc: hackers@freebsd.org cc: tech-security@netbsd.org cc: ticso@cicely.de Subject: Re: FUD about CGD and GBDE X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 23:13:06 -0000 elric@imrryr.org wrote: > It is a serial attack that is: > > for (i=0; i < n; i++) { > crack the i'th key--key block; > } > > So it is actually where $n$ is the number of key--key sectors: [ ASCII art removed and sent to the museum of modern arts :-> ] > > So, for a disk with 2^30 key--key sectors it would be > > 2^30 * 2^128 = 2^158 > > I realise that PHK has been claiming that you might get false > positives, and that you somehow have to maintain a matrix of past > this and that. It is a lot simpler than this really. Your assumption is wrong. First of all, the first sector of the encrypted image does not necessarily start at the beginning of the disk, nor does the last sector have to be the last sector of the disk. At initialization first_sector, last_sector and total_sectors can be set so that the encrypted image is placed at an offset from both sides of the disk. If you also use random_flush that free space (padding) is filled with random garbage automatically, so one cannot detect where the encrypted image actually begins or ends. I would like to see some statistics regarding the distribution of superblock, inode and directory structures, but I believe the attack you are describing cannot be automated to the point of being practical. You also completely ignored the fact that the smallest logical data sector size is 512 bytes, but that it can also be set to any reasonable 2^n size (as PHK already pointed out, 2kb is the recommended size on FFS). You can only guess as to the size of the logical sector. You also have to take into acount the fact that there are at least 4 512 byte lock sectors (regardless of the size of the logical sector) which will thwart your automated brute forcing attempt further. Lock sectors can be anywhere, their location is picked randomly at initialization and everything else has to map around them, so you cannot assume anything about their location or know that you stumbled upon them. If you take into account that you cannot be sure that you got a complete zone or that you are indeed looking at a single logical data sector things become complicated quickly, so your estimate is way too optimistic. BTW, since you claim to have studied the papers, you may want to start using the correct terminology, there is no such thing as a key-key sector, there are only key sectors, data sectors, lock sectors, the master key, generated key-keys and sector keys. ALeine ___________________________________________________________________ WebMail FREE http://mail.austrosearch.net