Subject: Re: FUD about CGD and GBDE
To: ALeine <aleine@austrosearch.net>
From: Roland Dowdeswell <elric@imrryr.org>
List: tech-security
Date: 03/03/2005 17:58:49
```On 1109816230 seconds since the Beginning of the UNIX epoch
"ALeine" wrote:
>

>No, you are wrong.
>
>        2^128*2^30 = 2^158
>
>We are actually dealing with:
>
>        (2^128)^(2^30) = 2^(128*2^30) = 2^(2^37) = 2^137438953472
>               ^--- notice the minor difference

It is a serial attack that is:

for (i=0; i < n; i++) {
crack the i'th key--key block;
}

So it is actually where \$n\$ is the number of key--key sectors:

n
-------
\
\	   128		     128
>	  2		= n 2
/
/
--------
i = 0

(sorry about the bad ascii art, there, but I thought that would
be the best way to draw it.)

So, for a disk with 2^30 key--key sectors it would be

2^30 * 2^128 = 2^158

I realise that PHK has been claiming that you might get false
positives, and that you somehow have to maintain a matrix of past
this and that.  It is a lot simpler than this really.

For each key--key sector you are brute forcing, there are 2^128
different keys to try.  Now, the key--key sector protects 32 disk
sectors which contain 32 * 512 * 8 = 131072 bits.  That means that
there are 2^131072 possibilities for what can be in those 32 sectors.
So, I think that we can see where I am going here?

There will not be very many false positives when you are brute
forcing.  It is quite unlikely that there even exists an AES128
key which would produce one.  Depending on how many bits of the 32
sectors are being used, the probability could be as low as

1
--------
2^130944

Which is a very small number indeed.

Now, granted not the entirety of the 32 sectors will be recognisable,
or necessarily even used---but a fair percentage will.  Enough to
come up with numbers that may not be so astronomically small, are
still staggeringly small---a staggeringly small possibility that
such a false positive generating key actually exists at all.

Disklabels for example have a checksum.  The checksum might not be
terribly strong, but the chance that two different valid disklabels
could even be decrypted with different keys is small, I would
imagine.  The checksum takes off 2^32 seemingly valid disklabels
and what about the rest of the fields?  There's lots of redundant
information in there that could be cross referenced.

The examples abound.  Disks are very well structured and so are
the files on them.  So, I think that considering that you are
cracking 16KB at a time there will not be terribly many false
positives to find.  You will not have to write a lot of machinery
to detect them.

--
Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/
```