Subject: Re: FUD about CGD and GBDE
To: Poul-Henning Kamp <>
From: Todd Vierling <>
List: tech-security
Date: 03/03/2005 16:34:24
On Thu, 3 Mar 2005, Poul-Henning Kamp wrote:

> And if CGD is _so_ officially approved as you say, then I can not
> for the life of me understand how it can use the same key to generate
> the IV and perform the encryption.  At the very least two different
> keys should have been used at the "expense" of making the masterkey
> 512 bits instead of 256.

Technically, two different keys are used.  The IV is generated from the
block number (although it's pluggable for other IV generation methods,
should one be desired; take a look!).

This makes part of the "extended" 320-bit (256 + 64 bit off_t) key a known
quantity *for a given ciphertext block*, but not the whole disk.  This makes
attacks a little more difficult than standard 256-bit symmetric AES, as the
ciphertext is salted differently depending on the number of the test block.

-- Todd Vierling <> <>