In message <87y8d4ih9b.fsf@snark.piermont.com>, "Perry E. Metzger" writes:
>
>"Poul-Henning Kamp" <phk@phk.freebsd.dk> writes:
>> In message <Pine.NEB.4.62.0503031436160.12890@server.duh.org>, Todd Vierling writes:
>>>On Thu, 3 Mar 2005, Poul-Henning Kamp wrote:
>>>
>>>> At the time where I wrote GBDE, the best that was offered was CGD (and
>>>> similar) and users (not cryptographers!) didn't trust it
>>>
>>>Could you back up this claim, insofar that "users" did not trust cgd?  I
>>>haven't seen any distrust of cgd -- in fact, I've seen quite a bit of
>>>welcome acceptace of cgd by both users *and* cryptographers.
>>
>> Some of the people I talked to were very unhappy about the same key
>> being used for all sectors on the disk.
>
>Now, was that in the first day after cgd was committed or the second?
>As I recall, you committed GBDE 48 hours after CGD was committed in
>NetBSD. I'd be curious to hear about how much you changed your design
>in that period in response to feedback on cgd. (Please correct me if
>I'm wrong about the time gap.)

I am being a bit unfair here because I am lumping CGD in with the
equally defficient code in Linux (Loop-AES etc).  It was mostly the
linux code I talked to people about, but CGD makes the same exact
mistake.

>> Some of the people I talked to were very unhappy about the same key
>> being used for all sectors on the disk. Even a small weakness in
>> the cipher becomes a big hole because of the amount of data this
>> offers for analysis.
>
>I think we've already established that this fear, though
>understandable, is not a reasonable one under the circumstances. See
>several postings already made. You are better off just using AES with
>a longer key than the GBDE mechanism.

I'm sorry, I reached the exact opposite conclusion.

The work that was referred to earlier of defactorizing AES into a
very large number of equations would be exactly the kind of attack
I would worry about if I have 80 million sectors with the same key.

If that attack comes through, but relies on some partiular bit
combination being present on the plaintext or ciphertext of the
algoritm, I see no reason why I would want to improve the attackers
odds by a factor of 80 million.

And if CGD is _so_ officially approved as you say, then I can not
for the life of me understand how it can use the same key to generate
the IV and perform the encryption.  At the very least two different
keys should have been used at the "expense" of making the masterkey
512 bits instead of 256.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.