Subject: Re: FUD about CGD and GBDE
To: Poul-Henning Kamp <firstname.lastname@example.org>
From: Perry E. Metzger <email@example.com>
Date: 03/03/2005 15:12:23
"Poul-Henning Kamp" <firstname.lastname@example.org> writes:
> In message <email@example.com>, "Perry E. Metzger" writes:
>>There is a profession called "cryptographer" out there. They are the
>>folks who try out these new ideas, and they fill lots of conference
>>proceedings with their new ideas, including things like crypto modes
>>designed specifically for disk encryption.
> There is a world out here that's called the IT industry.
Yes, there is. They routinely deploy bad security because they don't
get people who know what they are doing involved. See WEP, for
example, or a thousand other things.
> When they badly needed a new password scrambler nobody from that
> cryptographic discipline could be bothered with a problem already
> long since solved in their academic journals and the task fell to
> a more or less random programmer in the end.
I have no idea what you're talking about, but if it is the original
password hash algorithm in Unix, it was written by Bob Morris Sr., who
went on to become one of the top technical guy at the NSA.
If you're talking about MD5 which is used in many modern Unixes, it
was done by Ron Rivest, and even though he's really good, it has
recently been (quite badly) broken.
> At the time where I wrote GBDE, the best that was offered was CGD (and
> similar) and users (not cryptographers!) didn't trust it and history
> have so far repeated.
I have no idea what you are talking about here. Can you find me a
significant number of users who had CGD available and didn't want to
use it? It was only available on NetBSD so far as I know, and it was
adopted pretty quickly once it appeared.
> I can add another property of the elite society of cryptographers:
> if you are not a card carrying member of their society, the majority
> of their members can not even be bothered to reply to an email from
> an outsider. This does hamper communiation a bit.
Actually, you can show up at any crypto conference you like, and
you'll likely be taken seriously so long as you know what you're
talking about even if the people talking to you have no idea who you
are. As with most gatherings of geeks, the only real ticket you need
There are also plenty of places to send email to cryptographers where
you will be inundated with replies. If you had forwarded a
description of your disk protection work to firstname.lastname@example.org,
you would have gotten plenty of responses. The same is probably true
of sci.crypt and lots of other places.
> Maybe the problem is that cryptographers, like true computer
> scientists, write in nothing less portable than pencil number two ?
It is rare to see a new algorithm show up from someone like Ron Rivest
without some C code also appearing. That's pretty common in the crypto
world. When the Chinese team that cracked a bunch of hash algorithms
last summer presented their work, they had worked examples of their
However, how is this relevant? Would you deride your doctor for not
programming? Do you write medical diagnostic software without so much
as reading a medical journal or talking to a doctor? There is no shame
in admitting that there may be other fields than "software
engineering" that have valuable information to share with you.
> If some card-carrying member of the cryptographic establishment were
> to offer the Open Source operating systems an implementation which
> were approved by all (or some qualified quorum of) the high priests
> of their brother hood, then I am sure that it would be received with
> praise and thanks of no end.
I think you don't quite get it the point.
1) No one claims that you need to be a cryptographer to write
something like GBDE. What is being claimed is that you should not
have invented your own cryptographic modes, and that you might have
wanted to ask some professionals about your approach.
2) CGD *has* been looked at by a bunch of people, and was written to
carefully use standard algorithms in a standard way. If you don't
like using NetBSD code because NetBSD people have cooties, fine --
I don't care, write your own. However, you should at least pay the
same attention to conservative use of cryptographic algorithms and
having people review your work is a good idea, too.
3) You've made some very bizarre claims about the security of your
system. Some of these claims have already been shown on their face
to be incorrect, such as your claimed work factor for breaking your
new "improved" crypto modes. Some of your claims are harder to
disprove but none the less seem suspicious. Other comments have
been made to the effect that you have ignored certain threat
Now, when Phil Zimmermann was criticized for inventing Bass-o-Matic
for PGP v1 and for otherwise not designing things right, he could
have dug in his heels and said "I don't see why I should do
anything differently." Instead, he admitted his mistakes and wrote
a version 2.
Are your users better served by you digging in your heels and
saying "GDBE is perfect as it is", or by admitting you are wrong
and changing your design? Will you be like Phil Zimmermann or like
the guys who peddle snake oil crypto? Your choice how you want to
be known -- as someone who admits mistakes, or as someone too proud
to ever change his work to fix problems.