Subject: Re: FUD about CGD and GBDE
To: None <>
From: ALeine <>
List: tech-security
Date: 03/03/2005 19:17:53 wrote: 

> It is a serial attack that is:
>	  for (i=0; i < n; i++) {
>		  crack the i'th key--key block;
>	  }
> So it is actually where $n$ is the number of key--key sectors:

[ ASCII art removed and sent to the museum of modern arts :-> ]

> So, for a disk with 2^30 key--key sectors it would be
>	  2^30 * 2^128 = 2^158
> I realise that PHK has been claiming that you might get false
> positives, and that you somehow have to maintain a matrix of past
> this and that.  It is a lot simpler than this really.

Your assumption is wrong. First of all, the first sector of the
encrypted image does not necessarily start at the beginning of
the disk, nor does the last sector have to be the last sector
of the disk. At initialization first_sector, last_sector and
total_sectors can be set so that the encrypted image is placed
at an offset from both sides of the disk. If you also use
random_flush that free space (padding) is filled with random
garbage automatically, so one cannot detect where the encrypted
image actually begins or ends.

I would like to see some statistics regarding the distribution
of superblock, inode and directory structures, but I believe
the attack you are describing cannot be automated to the point
of being practical.

You also completely ignored the fact that the smallest logical data
sector size is 512 bytes, but that it can also be set to any
reasonable 2^n size (as PHK already pointed out, 2kb is the
recommended size on FFS). You can only guess as to the size
of the logical sector.

You also have to take into acount the fact that there are at
least 4 512 byte lock sectors (regardless of the size of the
logical sector) which will thwart your automated brute forcing
attempt further. Lock sectors can be anywhere, their location is
picked randomly at initialization and everything else has to map
around them, so you cannot assume anything about their location
or know that you stumbled upon them.

If you take into account that you cannot be sure that you got a
complete zone or that you are indeed looking at a single logical
data sector things become complicated quickly, so your estimate
is way too optimistic.

BTW, since you claim to have studied the papers, you may want to
start using the correct terminology, there is no such thing as a
key-key sector, there are only key sectors, data sectors, lock
sectors, the master key, generated key-keys and sector keys.

WebMail FREE