Subject: Re: FUD about CGD and GBDE
To: None <perry@piermont.com>
From: ALeine <aleine@austrosearch.net>
List: tech-security
Date: 03/03/2005 18:48:34
perry@piermont.com wrote: 
 
> I have no doubt that was the intent. The question is, did he
> achieve it?

You seem to be making claims to the contrary, but at the same
time you do not even know some basic facts about GBDE. Have
you really read even the gbde(8) man page? If so, how come you
missed that big notice in bold at the very top, informing
users that "GBDE should be considered a slightly suspect
experimental facility." It was not encrypted, so I'm sure you
could have read it. But no, you come running and start spreading
FUD about GBDE and making claims about GBDE being promoted as
"the perfect solution." For someone who talks a lot about merit
your words and actions show very little of it.

> Yup. And Roland made the algorithm you use for encrypting your
> disk *pluggable*. That way, if AES is broken, you can replace it
> with the next big thing and move on with your life.
> Now, if AES is indeed broken, GBDE is in serious trouble, but CGD
> is not. Specific users of CGD have to change their drives, but the
> framework continues to work as advertised.

GBDE can easily be extended to be modular in that way. AFAIK PHK
does not see a need for that because he does not want to increase
the complexity, but it might be implemented at some point, it's just
not a priority. If AES is broken, can CGD re-encrypt the entire drive
using the new replacement algorithm on the fly, without requiring
any additional storage? If not, having such modularity is a bit of
a joke, it gives users a false sense of security.

> > The fact that Roland did not invent any new ways of using
> > algorithms does not mean that CGD is more secure.
> 
> It does, however, mean right from the get-go that the standard
> analysis you use for looking at this works right out of the box. 
> You don't have to invent anything new to figure out if it works
> right.

Sometimes the biggest mistakes hide in simplicity, I believe SMB
demonstrated that point quite aptly with the Needham-Schroeder
protocol flaw that was totally obvious, but went unnoticed for
18 years. When a 3 line protocol can be so obviously flawed and
the flaw goes unnoticed for such a long time I hope you are not
overly confident about CGD working right.

> Do you know enough about cryptography to have an opinion, humble
> or not? For example, if I handed you something encrypted in a
> polyalphabetic cipher and asked you to tell me the key length,
> off the top of your hand would you know how to use the index of
> coincidence to do that? If I asked you to explain the difference
> between the security of inner and outer CBC 3DES, could you tell
> me? Could you explain what a characteristic is and how it is used
> in differential cryptanalysis?

Have you actually read any of my posts or do you have a template
of questions that you send to anyone you feel "is welcome to
join the crypto community?" You speak of the openness and
merit and how the crypto community undeserverdly has a bad
reputation for being elitist and dismissive of outsiders, yet
you are only reinforcing that very same stereotype in the
worst way. Your condescending tone is not welcome, but in case
you seriously expected an answer I suggest you take a course
in cryptography, you may even get help from someone at
sci.crypto, I hear they are really friendly there and
you should be able to find the right pair for your kind of
character(istic) there. :->

> I'm not saying, by the way, that you should take my opinion or
> anyone else's as gospel. Argument from authority is worthless.
> At crypto conferences you will find differing opinions -- merely
> understanding crypto doesn't mean you are right.  You should
> learn enough to form your own opinion. However, that implies that
> you must first learn enough that you have a basis on which to form
> it. If you don't know anything about medicine, do you have any good
> basis for telling your anesthesiologist to use a different drug in
> your surgery?

After what I've seen from you I would hardly call you an author,
let alone an authority on anything. You contradict yourself at
least twice a day, you make unsubstantiated claims, you talk down
to people and the chip on your shoulder is one of the biggest I've
seen. Worst of all, you have the time to keep wasting people's
time with your noise. If you are bored take up a hobby, perhaps
hosting a radio show might be fun?

> So you say that to you, using one key for the entire disk is a
> bad idea. Very good. On what basis do you say this?

On the same basis that I prefer to wear a jacket with many pockets
rather than a bag. You, of course, have read all my previous posts
in this discussion and know what I am talking about, that's why you
had to ask me about something I already explained.
 
> Now it *is* true that you shouldn't use a key for too much data,
> and we have some ways these days of calculating how much data "too
> much" is. Do you understand how that calculation is performed?

Are you sure it would be OK for me to answer that question?
After all, I'm not a member of the crypto community and I
might insult some member of the crypto community by answering.
Oh, well, I'll just have to risk it.

AES 256 CBC mode collision after:
key size * 2^(cipher block size / 2) = 16 * 2^(128/2) = 2^68 bytes

> > You have to trust Roland to integrate the well known and
> > understood algorithms in a correct way, trusting the algorithms
> > alone is not enough.
> 
> His code did indeed have some bugs to begin with. It was reviewed
> and they were fixed.

For now. At least the most obvious ones - or should I say the least
obvious ones?

> > I am not designing cryptographic algorithms, what PHK did with
> > GBDE cannot be compared to inventing MD5, snap out of it, you
> > are starting to sound like a broken record.
> 
> But the problem is that he crossed a line, so it *can* be
> compared to things like inventing MD5. He isn't merely using existing
> algorithms in well known ways. He is, in fact, using algorithms in modes
> that they having been used in before and making very very specific
> claims of work factors to break these new modes.

Oh my GOD, he crossed the line, how dare he! There are probably
angry cryptographers picketing in front of his house now. Luckily
it's quite cold this time of year in Denmark as well, so they
should not be there long.

> > I assure you PHK knows very well what he is doing
> 
> I've read his paper. I must respectfully disagree.

I must respectfully disagree with you, then.
 
> > and I think you should not mention his name in the same breath
> > along with the names of the designers of WEP.
> 
> The comparison seems to be perfectly apt -- people competent in
> one field assuming that another very complicated field is trivial,
> and extending their work into that other field, in which they are no
> longer competent.

Again you've proven that you do not even read what people here have
written, even if they replied to you directly. I believe PHK has
great respect for the cryptographers and the profession as such and
that he in no way finds it to be trivial, quite the opposite. But
you seem to enjoy writing more than reading and you probably talk
a lot because you enjoy hearing the sound of your own voice. Maybe
a radio show would be something for you to consider? :->

> It does mean that if I invented a new mode for using a set of
> ciphers, I would first send them to a bunch of crypto geeks to vet,
> then I would write a detailed paper, and after a couple of years I
> might consider actually using it in the real world.

If you ever invent anything usable in a production environment
let me know. Also let me know when your radio show will be on
and on what frequency so I know when to tune out. :->

ALeine
___________________________________________________________________
WebMail FREE http://mail.austrosearch.net