Subject: Re: FUD about CGD and GBDE
To: None <>
From: ALeine <>
List: tech-security
Date: 03/02/2005 15:48:04 wrote: 
> "Poul-Henning Kamp" <> writes:
> > We need more ideas and more people trying out ideas.
> There is a profession called "cryptographer" out there. They are
> the folks who try out these new ideas, and they fill lots of
> conference proceedings with their new ideas, including things like crypto
> modes designed specifically for disk encryption.

You are mistaking people who design cryptographic algorithms and those
who design cryptographic systems which integrate those algorithms into
functional systems. PHK does not need to invent the replacement for
SHA in order to be a competent and well respected cryptographic system
designer. Besides, there are too many well respected academics who do
nothing but attend conferences, PHK has actually implemented something
that works and that has so far been publically recognized as solid by
two very well respected cryptographers.

> People who are members of this profession spend many years
> learning what is and is not likely to work when it comes to various
> cryptographic schemes, and they often learn the hard way that
> most new ideas in cryptography fail under scrutiny. Even the best of them
> are very leery of recommending the use of their own new schemes in
> the real world before they have been heavily reviewed. Even if you
> are Ron Rivest or Don Coppersmith, you make mistakes, and sometimes bad
> ones.

Would you care to explain what qualifies Roland as a more competent
cyrptographic system designer than PHK?
> Were you a cryptographer, and were you proposing, in a
> theoretical way, a new cryptographic mode for doing disk encryption,
> and were you presenting it in a paper at Crypto or some such, well,
> that would be perfectly fine. People could then review it, tear it
> apart (or fail to) etc, and no one would be harmed.

The papers are there, the code is there, review it, analyze it, talk
about it on TV. Just because it was not done in the way academics
like to do it does not mean it has any less merit. Heck, I would love
to see Erez Zadok's NCryptFS, but the academic process seems to be so
slow that we'll be lucky to see anything before 2006. If PHK took
that road we'd be looking forward to GBDE in FreeBSD 7.

> Instead, however, what is happening is that you are implementing
> your ideas, which do not appear to be very well founded in the
> experience the crypto community has gained at great price, and
> they're being tested first on actual users before any peer review
> of your design.

There is a reason everything happens so slowly in the academic
circles. Everyone is trying to cover their asses and trying so
hard not to be wrong that they analyze everything ad nauseum.
The bolder approach PHK took is well thought-out and some
compromises were made with full awareness of the consequences
because GBDE is designed to be usable and improved, it's not a
final solution. Using it will expose any weaknesses it might have
and if/when they are discovered you can be sure they will be fixed.
Along with the analyses done on it, it's the best way to make sure
you have something usable and cryptographically solid both today
and in the future.

> WEP was a particularly amusing case, because, like you, its
> designers thought that it was safe to use an existing encryption
> algorithm in ways that they never even realized were new and potentially
> damaging. They didn't understand what they were doing, and so the
> results were very bad.

WEP relies on RC4 and has a 24-bit IV which means the key stream will
definitely get reused after 5 hours of heavy traffic. You are not only
comparing apples and oranges, but apples and straw now. Read PHK's papers
on GBDE - all of them. You are clutching at straws.
> Let me also mention that everyone who does crypto work hears, at
> intervals, what horrid insular people cryptographers are and how
> little respect they have for "outsiders". Actually, nothing could
> be further from the truth. The crypto community is very open -- but
> it is a meritocracy, and merit is not demonstrated by throwing lots
> of stuff to the wall and seeing what sticks.

Everyone who has the proper education from one of the elite
universities, knows the right people, has not dared publish
anything seriously relevant to outdo their mentor before he
retires and everyone who dismisses everyone else who does not
have the same pedigree of a proper cryptographer is welcome
to join the crypto community, of course.

IMHO, the academic community looks at the IT industry with
scorn when someone dares insult them with a solution that
might prove to be better than something they have been
working on with an entire team of international academics
for years.

WebMail FREE