Subject: Re: FUD about CGD and GBDE
To: Perry E. Metzger <firstname.lastname@example.org>
From: David Schultz <das@CSAIL.MIT.EDU>
Date: 03/06/2005 11:53:21
On Thu, Mar 03, 2005, Perry E. Metzger wrote:
> No, I am not. PHK invented new cryptographic modes for his work. The
> fact that he does not understand this is part of the problem.
You've brought up this claim at several points in this thread.
Would you be willing to be more specific? I apologize if I missed
an explanation in the noise. More generally, I think a well
considered review from you would be more beneficial than all this
sniping. If your principal objection is unproven assumptions in
GBDE, then it would be constructive to reason about which aspects
of the system are provably secure and which are heuristic. If you
believe GBDE has irreparable flaws, FUD tactics should not be
required to demonstrate them.
My initial impression from reading the paper is as follows:
- The use of AES/CBC to encrypt key and data sectors seems to be
entirely standard, provided that the IV is randomized as per
footnote 6. Subject to the security of key generation and of
AES, this aspect of the design appears to be secure.
- The mechanism by which GBDE prevents information from the master key
from leaking to the sector keys appears to be largely heuristic.
o On the one hand, this means it would be difficult to prove that an
adversary who can recover several sector keys cannot use this
knowledge to easily recover the master key.
o On the other hand, per-sector keying may significantly increase
the work factor of a potential attacker in the event of a
weakness in AES related to a large ciphertext sample, so it
nevertheless seems superior to using the same key for everything.
Therefore, this seems like a laudable design goal.
o I'm not sure I believe the claim that the use of MD5 to
generate so-called key-keys won't weaken security. As a
rather extreme example, suppose that it was discovered that on
random input, an MD5 output only has 70 bits of entropy. Then
it might be relatively easy for an adversary to recover sector
keys without knowing the master key. (Granted, this would
constitute a much stronger break in MD5 than is currently known.)
- The pseudorandom sector remapping is an additional layer that a
would-be attacker would need to break, although in theoretical
terms it probably adds very little. In particular, it is prudent
to assume that the adversary already knows the plaintext contents
of a substantial fraction of the disk, and in such cases, the
randomization makes little difference. The randomization might
be a more interesting property in the context of a semi-trusted
remote block server, but that is out of scope.
Of course, the standard disclaimer applies to all of this.
Further, I don't claim to be an expert in this area, nor do I
claim to have performed a detailed analysis of GBDE. As both you
and phk have already stated, additional reviews would definitely
be a good thing.