Re: [PATCH] Delete cryptoloop

From: Jari Ruusu
Date: Mon Jul 26 2004 - 14:54:03 EST


Fruhwirth Clemens wrote:
> On Mon, 2004-07-26 at 12:54, Jari Ruusu wrote:
> > Fruhwirth Clemens wrote:
> > > On Sun, 2004-07-25 at 19:25, Jari Ruusu wrote:
> > > > In short: exploit encodes watermark patterns as sequences of identical
> > > > ciphertexts.
> > >
> > > Probably I'm missing the point, but at the moment this looks like a
> > > chosen plain text attack. As you know for sure, this is trivial. For
> > > instance, AES asserts to be secure against this kind of attack. (See the
> > > author's definition of K-secure..).
> >
> > > I'm suggesting it doesn't work at all.
> >
> > Fruhwirth, your incompetence has always amazed me. And this time is no
> > exception. What is conserning is that some mainline folks seem to listening
> > to your ill opinions. No wonder that both mainline device crypto
> > implementations are such a joke.
>
> Please don't resort to personal defamations.
>
> To summarize for an innocent bystander:
>
> - The attacks you brought forward are in the best case a starting point
> for known plain text attacks. Even DES is secure against this attack,
> since an attacker would need 2^47 chosen plain texts to break the cipher
> via differential cryptanalysis. (Table 12.14 Applied Cryptography,
> Schneier). First, the watermark attack can only distinguish 32
> watermarks. Second, you'd need a ~2.000.000 GB to store 2^47 chosen
> plain texts. Third, I'm talking about DES (designed 1977!), no chance
> against AES.
>
> - The weaknesses brought forward by me are summarized at
> http://clemens.endorphin.org/OnTheProblemsOfCryptoloop . Thanks goes to
> Pascal Brisset, who pointed out that cryptoloop is actually more secure
> than I assumed.
>
> If you, Jari, have any arguments left, it's time to state them now.

Even more amazed...

Fruhwirth, what you have failed to understand is that the exploit does does
not exploit flaws in any cipher, but cryptoloop's and dm-crypt's insecure
use of those ciphers. Any block cipher that encrypts two identical plaintext
blocks using same key and produces two identical ciphertext blocks will do.
It is all about tricking a cipher to encrypt two identical plaintext blocks,
which, after encryption will show up as two identical ciptext blocks. And
those identical ciphertext blocks can be easily detected and counted.

--
Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/