Subject: Re: FUD about CGD and GBDE
To: None <>
From: Poul-Henning Kamp <>
List: tech-security
Date: 03/03/2005 17:47:45
In message <>, Thor Lancelot Simon writes:

>No, it would not.  What it _would_ take would be an abandonment of the
>adamant position that your home-grown cryptosystem is superior to
>simply encrypting the disk with 256-bit AES.

Where I come from "home-grown" is not derogative.  All cryptosystems
are by necessity home-grown for somebody somewhere.

If you are _convinced_ that there will be no attacks which can
exploit the ample data CGD offers for two-way leverage on the crypto
algorithm during the relevant lifetime of your data, then stick
with CGD and be happy.

If like me that makes you quite uneasy, look for something which
mitigates that issue, like for instance GBDE.

If neither suits you, design your own.

>Generally, complexity is not considered a desirable property in
>cryptosystems.  GBDE violates this rule in spades.  There are _reasons_
>why complexity is not good: to begin with, a very complex cryptographic
>construct will require detailed analysis (which it does not appear
>GBDE has had by anyone but its author until Roland started looking at
>it) in order that we may know that it is even as secure as the underlying
>algorithmic building blocks it uses.

Both Lucky Green and David Wagner has nodded vertical on GBDE.

>[crypto sermon]

I fully agree with you about the philosophical points, but not on
the implications.

I can not convince myself that encrypting a 40 GB disk sector by
sector using the same key, even if it is 256 bits, is a safe design.

You seem to belive otherwise.

And that's where it ends.

Have a good life.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.