Re: [PATCH 2/2] Support for VIA PadLock crypto engine

[Fruhwirth Clemens <clemens-dated-1085585540.2c1d@endorphin.org>]

[-- Attachment #1: Type: text/plain, Size: 3214 bytes --]

On Fri, 2004-05-14 at 18:05, Jari Ruusu wrote:

> loop-AES wasn't born perfect. But I have plead quilty for each and every
> fuck-up that was there. And then went on and fixed the damn code.
> Countermeasures against optimized dictionary attacks was included in 2001,
> and stronger IV in 2003.

Your countermeasures to optimized dictionary attacks are suboptimal. The
following code is from your util-linux patch:

 aes_encrypt(&ctx, &loopinfo.lo_encrypt_key[ 0], &loopinfo.lo_encrypt_key[ 0]);
 aes_encrypt(&ctx, &loopinfo.lo_encrypt_key[16], &loopinfo.lo_encrypt_key[16]);
 /* exchange upper half of first block with lower half of second block */
 memcpy(&tempkey[0], &loopinfo.lo_encrypt_key[8], 8);
 memcpy(&loopinfo.lo_encrypt_key[8], &loopinfo.lo_encrypt_key[16], 8);
 memcpy(&loopinfo.lo_encrypt_key[16], &tempkey[0], 8);

Symmetric block ciphers can't be used as hashing per se. Neither seems the
swapping scheme you're using to be a standard hash construction for ciphers.
I suggest to read "Applied Cryptography", Bruce Schneier, "18.11 One-Way
hash functions using symmetric block algorithms" as an introduction to that
topic. To avoid this troubles all together, I recommend to use a standard
MAC instead.

Further, the iteration depth of 10^5 seems to be insufficient.

> > You have been campaigning with FUD
> > against cryptoloop/dm-crypt for too long now. There are NO exploitable
> > security holes in neither dm-crypt nor cryptoloop.
> 
> In the past you, Fruhwirth, have demonstrated that you don't understand what
> the security holes are. The fact that you still don't seem to undertand,
> does not mean that the holes are not there.

Everyone attending a rhetoric seminar learns, "If you run out of
arguments, attack the person itself". The attacks, you're speaking of in
the next paragraph, apply to the key deduction. That's very different
from IV deduction.

> Optimized dictionary attack is exploitable. Ok, it requires major government
> size funding, but what do you think NSA guys get paid for?
> 
> Watermark attack is exploitable using zero budget.

As I said, not cryptoloop's responsibility. 

> You insisting that cryptoloop/dm-crypt do not have exploitable security
> issues does not increase confidence at all. Quite the contrary, as it
> implies that existing vulnerabilities won't be fixed.

Please read my mails carefully. See the following paragraph:

> > There is room for improving both IV deducation schemes, but it's a
> > theoretic weakness, one which should be corrected nonetheless. 


> One cryptoloop developer
> somehow managed to convince util-linux maintaner to drop those
> countermeasures against optimized dictionary attacks. To protect the guilty,
> I won't name his name here, but search linux-crypto archives for 14 Mar 2003
> 11:12:13 -0800 posting if you want know his name. 

You are talking about util-linux again. Rusuu, don't try to fool the
audience by arguing for something totally different. Further if you try to
provide evidence for something, provide an URL to back your claims. I wasn't
able to find any mails in the archives dealing with that topic.

Best Regards, Clemens

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]