Subject: Re: FUD about CGD and GBDE
To: Perry E. Metzger <>
From: David Schultz <das@CSAIL.MIT.EDU>
List: tech-security
Date: 03/06/2005 11:53:21
On Thu, Mar 03, 2005, Perry E. Metzger wrote:
> No, I am not. PHK invented new cryptographic modes for his work. The
> fact that he does not understand this is part of the problem.

Hi Perry,

You've brought up this claim at several points in this thread.
Would you be willing to be more specific?  I apologize if I missed
an explanation in the noise.  More generally, I think a well
considered review from you would be more beneficial than all this
sniping.  If your principal objection is unproven assumptions in
GBDE, then it would be constructive to reason about which aspects
of the system are provably secure and which are heuristic.  If you
believe GBDE has irreparable flaws, FUD tactics should not be
required to demonstrate them.

My initial impression from reading the paper is as follows:

- The use of AES/CBC to encrypt key and data sectors seems to be
  entirely standard, provided that the IV is randomized as per
  footnote 6.  Subject to the security of key generation and of
  AES, this aspect of the design appears to be secure.

- The mechanism by which GBDE prevents information from the master key
  from leaking to the sector keys appears to be largely heuristic.

  o On the one hand, this means it would be difficult to prove that an
    adversary who can recover several sector keys cannot use this
    knowledge to easily recover the master key.

  o On the other hand, per-sector keying may significantly increase
    the work factor of a potential attacker in the event of a
    weakness in AES related to a large ciphertext sample, so it
    nevertheless seems superior to using the same key for everything.
    Therefore, this seems like a laudable design goal.

  o I'm not sure I believe the claim that the use of MD5 to
    generate so-called key-keys won't weaken security.  As a
    rather extreme example, suppose that it was discovered that on
    random input, an MD5 output only has 70 bits of entropy.  Then
    it might be relatively easy for an adversary to recover sector
    keys without knowing the master key.  (Granted, this would
    constitute a much stronger break in MD5 than is currently known.)

- The pseudorandom sector remapping is an additional layer that a
  would-be attacker would need to break, although in theoretical
  terms it probably adds very little.  In particular, it is prudent
  to assume that the adversary already knows the plaintext contents
  of a substantial fraction of the disk, and in such cases, the
  randomization makes little difference.  The randomization might
  be a more interesting property in the context of a semi-trusted
  remote block server, but that is out of scope.

Of course, the standard disclaimer applies to all of this.
Further, I don't claim to be an expert in this area, nor do I
claim to have performed a detailed analysis of GBDE.  As both you
and phk have already stated, additional reviews would definitely
be a good thing.