Re: [PATCH] Delete cryptoloop

[Fruhwirth Clemens]

On Mon, 2004-07-26 at 20:11, Jari Ruusu wrote:

> Fruhwirth, what you have failed to understand is that the exploit does does
> not exploit flaws in any cipher, but cryptoloop's and dm-crypt's insecure
> use of those ciphers. Any block cipher that encrypts two identical plaintext
> blocks using same key and produces two identical ciphertext blocks will do.
> It is all about tricking a cipher to encrypt two identical plaintext blocks,
> which, after encryption will show up as two identical ciptext blocks. And
> those identical ciphertext blocks can be easily detected and counted.

Rusuu, you failed to understand that I not only understood your attack,
but also disregard it as minor imperfection (warning: personal opinion).

Reason:
This watermarking evidence can't be used at court, because it does not
reveal the content (at least not in my country!). Even if the
watermarking domain has a bigger cardinality than 32, I doubt the
practical implications.

However, if you haven't understood it already, one more time just for
you: I vote for changing the IV scheme, see my posting from 23.2.2004
[1]. But as you might not know (because you never contributed anything
substantial to the kernel): Kernel developers try to get things right,
and using CryptoAPI for hashing IVs results in some problems if one
wants to avoid reinitializing the context every call: 

http://marc.theaimsgroup.com/?l=linux-kernel&m=107721067317841&w=2

[1] http://marc.theaimsgroup.com/?l=linux-kernel&m=107749648717666&w=2
-- 
Fruhwirth Clemens <clemens@xxxxxxxxxxxxx>  http://clemens.endorphin.org

Attachment: signature.asc
Description: This is a digitally signed message part