Subject: Re: FUD about CGD and GBDE
To: Perry E. Metzger <>
From: Poul-Henning Kamp <>
List: tech-security
Date: 03/03/2005 22:08:46
In message <>, "Perry E. Metzger" writes:

>> There is a world out here that's called the IT industry.
>Yes, there is. They routinely deploy bad security because they don't
>get people who know what they are doing involved. See WEP, for
>example, or a thousand other things.

Yes, it would really be desirable for the cryptographers to come
down from their mount olympus more often.  Too bad they never
answer invitations :-(

>I have no idea what you're talking about,

Thanks for confirming what I wrote just a second ago above.

>If you're talking about MD5 which is used in many modern Unixes, it
>was done by Ron Rivest, and even though he's really good, it has
>recently been (quite badly) broken.


>> At the time where I wrote GBDE, the best that was offered was CGD (and
>> similar) and users (not cryptographers!) didn't trust it and history
>> have so far repeated.
>I have no idea what you are talking about here.

And again.

>> I can add another property of the elite society of cryptographers:
>> if you are not a card carrying member of their society, the majority
>> of their members can not even be bothered to reply to an email from
>> an outsider.  This does hamper communiation a bit.
>Actually, you can show up at any crypto conference you like,

I have a better idea: Why don't we get the cryptographers to
show up at computer science conferences ?  That would get the
gospel out to a far wider crowd without spoiling the highly
specialized conferences for the cryptographers.

>> Maybe the problem is that cryptographers, like true computer
>> scientists, write in nothing less portable than pencil number two ?
>It is rare to see a new algorithm show up from someone like Ron Rivest
>without some C code also appearing. That's pretty common in the crypto
>world. When the Chinese team that cracked a bunch of hash algorithms
>last summer presented their work, they had worked examples of their

You seem to misunderstand something:  Computer users don't call MD5
directly.  They use software which makes the calls for them.  Sometimes
this software has a goal which is different from calling crypto
algorithms, in fact some of them even have the impropiety of
regarding the crypt algorithms as mere tools.

>I think you don't quite get it the point.

There are many points not being got here.

>1) No one claims that you need to be a cryptographer to write
>   something like GBDE. What is being claimed is that you should not
>   have invented your own cryptographic modes, and that you might have
>   wanted to ask some professionals about your approach.

You have not actually studied GBDE yet, right ?  You don't actually
know if I invented my own "cryptographic modes" or not, do you ?

>2) CGD *has* been looked at by a bunch of people, and was written to
>   carefully use standard algorithms in a standard way. If you don't
>   like using NetBSD code because NetBSD people have cooties, fine --
>   I don't care, write your own. However, you should at least pay the
>   same attention to conservative use of cryptographic algorithms and
>   having people review your work is a good idea, too.

Even if I were alone in the world with the sentiment, I would never
call CGDs use of the same key for all sectors "conservative".

>3) You've made some very bizarre claims about the security of your
>   system. Some of these claims have already been shown on their face
>   to be incorrect, such as your claimed work factor for breaking your
>   new "improved" crypto modes.

Sorry, they have only been disproved in a significantly larger universe
than the one my users inhabit.  That doesn't count to me.

>   Instead, he admitted his mistakes and wrote a version 2.

Any qualified, factually correct critique of GBDE will be taken very
serious by me.  I am very much looking forward to it.  What Roland
has provided is not it.

>   Are your users better served by you digging in your heels and
>   saying "GDBE is perfect as it is", 

Now, there is one thing I have never said and would never say.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.