Subject: Re: FUD about CGD and GBDE
To: Poul-Henning Kamp <>
From: Perry E. Metzger <>
List: tech-security
Date: 03/04/2005 09:02:55
"Poul-Henning Kamp" <> writes:
> In message <>, "Perry E. Metzger" writes:
>>My strong suggestion for you is that you adopt a similar approach --
>>build a good framework that, given good algorithms, will provide
>>security, and make it easy for users to change over if an algorithm
> If you actually look at GBDE, you will see that any and all of the
> algorithms can be changed.  They are used only in their most basic
> capability.  This was part of the design from the start: not to
> rely on any single-source algorithm.

I understand that, but the point is to make it user friendly. CGD lets
you pick a number of crypto systems right now in its
configuration. You can pick multiple key lengths, methods of deriving
the key, etc.

I've read through things like the GBDE command man page, how-tos,
etc., and I found nothing that allows you to do stuff like change
cipher with GBDE. I also don't find support for things like
multi-factor authentication. All that could be added, of course, and I
encourage you to do it -- but my point is that it isn't there now and
you should look at doing it. If I can pick any one of several ciphers
and key lengths already or specify things like multi-factor
authentication, my apologies.

In any case, please understand that my goal is not to tell your users
that FreeBSD is garbage or anything like that. My goal is to get you
to improve what you have done. If you want to tell me I'm an idiot or
what have you, feel free, but I don't think that will serve your users
particularly well.

>>Well, so is stock AES 256. I don't see why I should assume your
>>construction is any better. What do you know that the NIST/NSA review
>>of AES did not know?
> That neither the authors of Rinjdael, its reviewers, nor NIST are 
> willing to offer a 25 year warranty on it.

No one rational will give a warranty on *any* encryption system for
*any* length of time. The best I can say, however, is that the US
government has approved the use of AES with 256 bit keys for very
highly secure communications, and they have a very demanding user

Assuming that you can brute force a bit or two more key per year, and
assuming that better cryptanalytic techniques doubled that somehow,
you would still have many many years before 256 bit AES became a real
issue. Anyone rational attacking you will look at other flaws in your
system first.

Perry E. Metzger