I must have missed this one before.

elric@imrryr.org wrote: 

> Most of this started when I disputed some of the wild claims that
> PHK has made about the security of GBDE.

You have not disputed them, you have only confirmed the strengths of
GBDE and exposed the issue of atomic writes.

> Let me restate:
> 
> In:
> 
>	  http://www.bsdcan.org/2004/papers/gbde.pdf
> 
> The claim is made that there is at least O(2^256) work to crack a
> disk and O(2^384) to crack the disk if the lock sectors are
> destroyed.

Have you read PHK's paper located at:

http://phk.freebsd.dk/pubs/bsdcon-03.gbde.paper.pdf

> I do not believe that I need any credibility whatsoever to call
> shenanigans on these outrageous claims.
> 
> It is _plainly_obvious_ that if you encrypt 2^30 sectors each
> with a different 128 bit key then there are at most 2^158 different
> ways to decrypt the entire disk.  Period.

You need 2^128 steps to break the encryption of a single sector.
But you have no idea which of the 2^128 sectors is the right one,
so you store all of the 2^128 * 512 = 2^137 bytes. Right, which
movie is this from? Imagine that you could do the same with the
next sector... And you do this for 2^30 sectors and then figure
out which of the 2^128^(2^30) sector variations is the right one?
This is the worst case scenario for an attacker and it obviously
is beyond anyone's dreams. You have to resort to attacking GBDE
using knowledge about how it does encryption if you want to have
any kind of realistic chance of breaking it. In the paper I
mentioned PHK analyzed the attack vectors and what kind of threat
each one of them represents. You act as if you could just brute
force GBDE automatically. It cannot happen.

ALeine
___________________________________________________________________
WebMail FREE http://mail.austrosearch.net