Subject: Re: FUD about CGD and GBDE
To: Poul-Henning Kamp <>
From: Perry E. Metzger <>
List: tech-security
Date: 03/03/2005 13:50:49
"Poul-Henning Kamp" <> writes:
> We need more ideas and more people trying out ideas.

There is a profession called "cryptographer" out there. They are the
folks who try out these new ideas, and they fill lots of conference
proceedings with their new ideas, including things like crypto modes
designed specifically for disk encryption.

People who are members of this profession spend many years learning
what is and is not likely to work when it comes to various
cryptographic schemes, and they often learn the hard way that most new
ideas in cryptography fail under scrutiny. Even the best of them are
very leery of recommending the use of their own new schemes in the
real world before they have been heavily reviewed. Even if you are Ron
Rivest or Don Coppersmith, you make mistakes, and sometimes bad ones.

Were you a cryptographer, and were you proposing, in a theoretical
way, a new cryptographic mode for doing disk encryption, and were you
presenting it in a paper at Crypto or some such, well, that would be
perfectly fine. People could then review it, tear it apart (or fail
to) etc, and no one would be harmed.

Instead, however, what is happening is that you are implementing your
ideas, which do not appear to be very well founded in the experience
the crypto community has gained at great price, and they're being
tested first on actual users before any peer review of your design.

You are hardly the first to do this of course. You follow in a long
tradition. The 802.11 folks who designed WEP, the people who designed
the security for Bluetooth, the authors of numerous PC security
products, and many others, have all rolled their own crypto without
being cryptographers and handed it off to unsuspecting users. The
results range from unfortunate to downright deadly.

WEP was a particularly amusing case, because, like you, its designers
thought that it was safe to use an existing encryption algorithm in
ways that they never even realized were new and potentially
damaging. They didn't understand what they were doing, and so the
results were very bad.

Let me also mention that everyone who does crypto work hears, at
intervals, what horrid insular people cryptographers are and how
little respect they have for "outsiders". Actually, nothing could be
further from the truth. The crypto community is very open -- but it is
a meritocracy, and merit is not demonstrated by throwing lots of stuff
to the wall and seeing what sticks.