Subject: Re: FUD about CGD and GBDE
To: Poul-Henning Kamp <>
From: Perry E. Metzger <>
List: tech-security
Date: 03/03/2005 18:22:26
"Poul-Henning Kamp" <> writes:
>>I think we've already established that this fear, though
>>understandable, is not a reasonable one under the circumstances. See
>>several postings already made. You are better off just using AES with
>>a longer key than the GBDE mechanism.
> I'm sorry, I reached the exact opposite conclusion.
> The work that was referred to earlier of defactorizing AES into a
> very large number of equations would be exactly the kind of attack
> I would worry about if I have 80 million sectors with the same key.

That attack was shown to be bogus. It is highly unlikely that any such
attack will ever show up, given the structure of AES. I would not be
shocked if an attack on AES *did* show up, but it would likely not be
of this sort, and it would likely make no difference in that context
whether you encrypt the whole disk with one key or not even if such an
attack appeared.

> If that attack comes through, but relies on some partiular bit
> combination being present on the plaintext or ciphertext of the
> algoritm, I see no reason why I would want to improve the attackers
> odds by a factor of 80 million.

Again, it would do no such thing even if the bogus attack was real.

> And if CGD is _so_ officially approved as you say, then I can not
> for the life of me understand how it can use the same key to generate
> the IV and perform the encryption.

The IV doesn't matter. So long as the IV is different for each block
you are fine. Any function that produces a decent shuffle would be
acceptable. (Well, not quite *any*. For various reasons you may want
the hamming distance between successive IVs to be large on average,
but this achieves that.)

Perry E. Metzger