Date: Thu, 03 Mar 2005 21:41:53 +0100 From: "Poul-Henning Kamp" <phk@phk.freebsd.dk> To: tls@rek.tjls.com Cc: cryptography@metzdowd.com Subject: Re: FUD about CGD and GBDE Message-ID: <10848.1109882513@critter.freebsd.dk> In-Reply-To: Your message of "Thu, 03 Mar 2005 15:00:05 EST." <20050303200005.GA21499@panix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20050303200005.GA21499@panix.com>, Thor Lancelot Simon writes: >On Thu, Mar 03, 2005 at 08:25:18PM +0100, Poul-Henning Kamp wrote: >To quote David Hume, "Never an ought from an is." I'm Danish by birth so english is only my second language, so I apologize for mangling it. >That "users" (who >are they? how many of them? What criterion or criteria of trust >do they apply?) _did_ not trust X says precisely nothing about whether >users _should_ not trust X. <soapbox> If there is one word I have come to detest, then "should" is at the top of the list. Voters _should_ vote based on intelligently informed opinions. Researchers _should_ report their findings uncolored by personal bias. Kids _should_ listen to their parents. Somebody _should_ fix this bug. I increasingly associate "will not happen" when I read "should". Let me twist it around: How would the users know if they should or should not trust something ? They form their opinion based on the information they have under the constraints they have. And then, more often than not, the remaining 30% is gut feeling. When it comes to crypto gut feeling has about 70% of quorum. The crypto establishment has a big problem communicating to the rest of the world what their findings are in a way that makes this information usable for people. (IMO). </soapbox> >You seem to deny that there is a particular domain of expertise that is >cryptography, or perhaps more rightly two domains, one being largely >a subset of the other: how to design good cryptographic algorithms and >how to use good cryptographic algorithms safely. No I certainly don't. I have personally the deepest respect and admiration for the craft. I spent a lot of time before going into GBDE reading theory. Interestingly again, the best book from a practitioners point of view is written by an outsider in the crypto-clerigy. I also spent a lot of time studying what was already available. But in difference from everybody else (it seems) I also asked users and administrators what they needed and wanted from a cryptographic disk facility. Interestingly I found that the users focus were very different from the points which the crypto community emphasized. And then I designed and wrote GBDE from that angle. Despite what some people in this dicussion seems to belive, I did not write GBDE using 1 iteration random-seed genetic programming. A lot of thought and consideration went into it. I may not be a world renowned cryptographer, nor even claiming to be one at all, but I am not totally without ability either. I am fully aware of the arguments against complexity and I tried very hard to simplify GBDE to the simplest possible algorithm while maintaining the design goals fulfillment. That is why there is no journaling, no MAC, only a very simple level of positional hiding and no heavy duty support for "plausible denial". And then I tried very hard to engage somebody with the right union-card to do a review for me, and despite the fact that funding were available under the DARPA contract nobody would bite. Lucky Green, on his own initiative contacted me because he heard the rumour that I was working on something, and he convinced David Wager to take a peek as well. I am more grateful to them both than my words can express. They gave me a lot of sound advice and I tried my best to implement according to it, but any blame for mistakes is entirely mine. Now, if you could stop defending the cryptographers-local-64 union and accept that non-union people might try to make the world a better place by applying some of the craft in actual code, instead of banning the code because an infidel wrote it, then you could really help by giving said code a professional review. It would be much appreciated if you did. If you sit down and study GBDE, you will find that I have used all the cryptographic algorithms in a conservative way and likely as not, you will end up saying "overkill". The users will call the same "safety margin". The truth is somewhere between, because the real world is shades between dark white and light black. >You call Roland's criticisms of GBDE "handwaving". I have yet to see anything solid from him where he didn't overlook something in his haste to prove his own product superior. Poul-Henning -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10848.1109882513>