Subject: Re: FUD about CGD and GBDE
To: ALeine <>
From: Perry E. Metzger <>
List: tech-security
Date: 03/03/2005 18:40:30
"ALeine" <> writes:
> wrote: 
>> > You are mistaking people who design cryptographic algorithms
>> > and those who design cryptographic systems which integrate those
>> > algorithms into functional systems.
>> No, I am not. PHK invented new cryptographic modes for his work.
>> The fact that he does not understand this is part of the problem.
> He designed GBDE to always be harder than and never easier
> to break than the cryptographic algorithms it relies on.

I have no doubt that was the intent. The question is, did he achieve

>> > Would you care to explain what qualifies Roland as a more
>> > competent cyrptographic system designer than PHK?
>> Roland didn't try to do anything that wasn't already heavily
>> understood in the literature. He invented no cryptographic modes.
>> He used only algorithms that have been pre-vetted. He also asked a
>> bunch of people who know better than he does to check his work.
>> Thus, you don't have to trust Roland at all. He didn't invent any
>> new way of using any of the algorithms. You have to trust only the
>> designers of the block cipher you choose to use (I'd suggest AES)
>> and the password algorithm you choose to use (though the PKCS stuff
>> is very good already). In order to permit even greater defense
>> against key cracking, he put in a very standard and straightforward
>> mechanism to permit N factor authentication.
> MD5 was believed to be heavily understood in literature. It was
> well established. Look at what happened to it.

Yup. And Roland made the algorithm you use for encrypting your disk
*pluggable*. That way, if AES is broken, you can replace it with the
next big thing and move on with your life.

Now, if AES is indeed broken, GBDE is in serious trouble, but CGD is
not. Specific users of CGD have to change their drives, but the
framework continues to work as advertised.

> The fact that Roland did not invent any new ways of using algorithms
> does not mean that CGD is more secure.

It does, however, mean right from the get-go that the standard analysis
you use for looking at this works right out of the box. You don't have
to invent anything new to figure out if it works right.

> In fact, IMHO it is less secure because it uses
> the same key for the entire disk and because it reuses the same key
> for IV generation and encryption.

Do you know enough about cryptography to have an opinion, humble or
not? For example, if I handed you something encrypted in a
polyalphabetic cipher and asked you to tell me the key length, off the
top of your hand would you know how to use the index of coincidence to
do that? If I asked you to explain the difference between the security
of inner and outer CBC 3DES, could you tell me? Could you explain what
a characteristic is and how it is used in differential cryptanalysis?

I'm not saying, by the way, that you should take my opinion or anyone
else's as gospel. Argument from authority is worthless. At crypto
conferences you will find differing opinions -- merely understanding
crypto doesn't mean you are right.  You should learn enough to form
your own opinion. However, that implies that you must first learn
enough that you have a basis on which to form it. If you don't know
anything about medicine, do you have any good basis for telling your
anesthesiologist to use a different drug in your surgery?

So you say that to you, using one key for the entire disk is a bad
idea. Very good. On what basis do you say this?

Now it *is* true that you shouldn't use a key for too much data, and
we have some ways these days of calculating how much data "too much"
is. Do you understand how that calculation is performed?

> You have to trust Roland to integrate the well known and understood
> algorithms in a correct way, trusting the algorithms alone is not
> enough.

His code did indeed have some bugs to begin with. It was reviewed and
they were fixed.

> I am not designing cryptographic algorithms, what PHK did with
> GBDE cannot be compared to inventing MD5, snap out of it, you
> are starting to sound like a broken record.

But the problem is that he crossed a line, so it *can* be compared to
things like inventing MD5. He isn't merely using existing algorithms
in well known ways. He is, in fact, using algorithms in modes that
they having been used in before and making very very specific claims
of work factors to break these new modes.

>> WEP is even weaker than its design. That is because its designers
>> did not know what they were doing.
> I assure you PHK knows very well what he is doing

I've read his paper. I must respectfully disagree.

> and I think you should not mention his name in the same breath along
> with the names of the designers of WEP.

The comparison seems to be perfectly apt -- people competent in one
field assuming that another very complicated field is trivial, and
extending their work into that other field, in which they are no
longer competent.

>> Inventing new cryptographic modes is dangerous.
> Living is dangerous, today you are here, tomorrow you might get
> hit by a bus. But that does not mean you will stay inside your
> house where you are safe (at least from buses) forever, does it?

It does mean that if I invented a new mode for using a set of ciphers,
I would first send them to a bunch of crypto geeks to vet, then I
would write a detailed paper, and after a couple of years I might
consider actually using it in the real world.