Subject: Re: FUD about CGD and GBDE
To: ALeine <>
From: Perry E. Metzger <>
List: tech-security
Date: 03/03/2005 15:43:39
"ALeine" <> writes:
>> There is a profession called "cryptographer" out there. They are
>> the folks who try out these new ideas, and they fill lots of
>> conference proceedings with their new ideas, including things like crypto
>> modes designed specifically for disk encryption.
> You are mistaking people who design cryptographic algorithms and those
> who design cryptographic systems which integrate those algorithms into
> functional systems.

No, I am not. PHK invented new cryptographic modes for his work. The
fact that he does not understand this is part of the problem.

>> People who are members of this profession spend many years
>> learning what is and is not likely to work when it comes to various
>> cryptographic schemes, and they often learn the hard way that
>> most new ideas in cryptography fail under scrutiny. Even the best of them
>> are very leery of recommending the use of their own new schemes in
>> the real world before they have been heavily reviewed. Even if you
>> are Ron Rivest or Don Coppersmith, you make mistakes, and sometimes bad
>> ones.
> Would you care to explain what qualifies Roland as a more competent
> cyrptographic system designer than PHK?

Roland didn't try to do anything that wasn't already heavily
understood in the literature. He invented no cryptographic modes. He
used only algorithms that have been pre-vetted. He also asked a bunch
of people who know better than he does to check his work.

Thus, you don't have to trust Roland at all. He didn't invent any new
way of using any of the algorithms. You have to trust only the
designers of the block cipher you choose to use (I'd suggest AES) and
the password algorithm you choose to use (though the PKCS stuff is
very good already). In order to permit even greater defense against
key cracking, he put in a very standard and straightforward mechanism
to permit N factor authentication.

>> Were you a cryptographer, and were you proposing, in a
>> theoretical way, a new cryptographic mode for doing disk encryption,
>> and were you presenting it in a paper at Crypto or some such, well,
>> that would be perfectly fine. People could then review it, tear it
>> apart (or fail to) etc, and no one would be harmed.
> The papers are there, the code is there, review it, analyze it, talk
> about it on TV. Just because it was not done in the way academics
> like to do it does not mean it has any less merit. Heck, I would love
> to see Erez Zadok's NCryptFS, but the academic process seems to be so
> slow that we'll be lucky to see anything before 2006. If PHK took
> that road we'd be looking forward to GBDE in FreeBSD 7.

Somehow, Roland managed to write CGD without any real trouble. That's
because rather than innovating, he used well understood primitives in
well understood ways.

>> Instead, however, what is happening is that you are implementing
>> your ideas, which do not appear to be very well founded in the
>> experience the crypto community has gained at great price, and
>> they're being tested first on actual users before any peer review
>> of your design.
> There is a reason everything happens so slowly in the academic
> circles. Everyone is trying to cover their asses and trying so
> hard not to be wrong that they analyze everything ad nauseum.

No. You Do Not Understand.

Cryptography is *brittle*. This has nothing to do with academic
sloth. The point is that the best designers routinely have their work
smashed to little bits.

Are you as good a cryptographer as Ron Rivest? I certainly am
not. Somehow, however, MD5 has been crushed anyway. This is not
unusual. Cryptographic algorithms are not like sorting algorithms or
graph traversal algorithms. When you're doing 3DES, it is not obvious
that doing the CBC on the outside instead of between the rounds is
critical to good security -- indeed it wasn't obvious even to trained

If you aren't as good as Ron Rivest, then why are you expecting to
design a new cryptographic mode on your first try without any issues

>> WEP was a particularly amusing case, because, like you, its
>> designers thought that it was safe to use an existing encryption
>> algorithm in ways that they never even realized were new and potentially
>> damaging. They didn't understand what they were doing, and so the
>> results were very bad.
> WEP relies on RC4 and has a 24-bit IV which means the key stream will
> definitely get reused after 5 hours of heavy traffic.

WEP is even weaker than its design. That is because its designers did
not know what they were doing.

Inventing new cryptographic modes is dangerous.

>> Let me also mention that everyone who does crypto work hears, at
>> intervals, what horrid insular people cryptographers are and how
>> little respect they have for "outsiders". Actually, nothing could
>> be further from the truth. The crypto community is very open -- but
>> it is a meritocracy, and merit is not demonstrated by throwing lots
>> of stuff to the wall and seeing what sticks.
> Everyone who has the proper education from one of the elite
> universities, knows the right people, has not dared publish
> anything seriously relevant to outdo their mentor before he
> retires and everyone who dismisses everyone else who does not
> have the same pedigree of a proper cryptographer is welcome
> to join the crypto community, of course.

Anyone can get a paper published at Crypto or Eurocrypt. You need no
PhD or other credentials. All you have to do is have something
interesting to say. People who are "outsiders" get stuff
published. Your claim is baseless.

In general, geeks are meritocratic. Crypto people are not unlike other
geeks. If you find that crypto people laugh at you, it is probably not
because you don't know the right people, but because you put your foot
in your mouth and swallowed hard.