On Sun, 30 Jul 2006 13:24:09 -0400, Roland Dowdeswell <elric@imrryr.org>
wrote:

> On 1153881116 seconds since the Beginning of the UNIX epoch
> "Steven M. Bellovin" wrote:
> >
> 
> >> The main difference appears to be better deniability: someone who can
> >> convince you to store a specially crafted file on your encrypted disk
> >> can then, given just the encrypted disk, prove that the file is stored
> >> there.
> >> 
> >I haven't seen the attack, but given the way CBC works it's not clear that
> >the attack would even apply in the context of cgd.
> 
> The attack was on the first implementation of encrypted disks for
> Linux which had a known IV (plaintext block number) for each block.
> You can then create a watermarked file by repeating sequences of
> sectors with the right bits twiddled to undo the known IV.  Cgd
> doesn't suffer from this as the IV is not known to the attacker.
> 
> Maybe we should have a look at LRW.  It's not a NIST approved mode
> is it?
> 
No, it's not.

I'll see one of the authors of that paper this week; I'll chat with him
about it. 


		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb