Re: [PATCH 2/2] Support for VIA PadLock crypto engine

From: Fruhwirth Clemens
Date: Fri May 14 2004 - 09:17:09 EST


On Fri, May 14, 2004 at 04:31:20PM +0300, Jari Ruusu wrote:
> Michal Ludvig wrote:
> > On Thu, 13 May 2004, Jari Ruusu wrote:
> > > Andrew Morton wrote:
> > > > Jari Ruusu <jariruusu@xxxxxxxxxxxxxxxxxxxxx> wrote:
> > > > > The cryptoloop implementation is busted in more than one way, so it is
> > > > > useless for security needs:
> > > >
> > > > Is dm-crypt any better?
> > >
> > > Nope. dm-crypt has same exploitable cryptographic flaws.
> >
> > Could you be more descriptive?
>
> cryptoloop and dm-crypt on-disk formats are FUBAR: precomputable ciphertexts
> of known plaintext, and weak IV computation. Anything that claims
> "cryptoloop compatible", and only that, is completely FUBAR. dm-crypt is
> such. IOW, there are now _two_ backdoored device crypto implementations in
> mainline.

Jari, you're starting to annoy me. You have been campaigning with FUD
against cryptoloop/dm-crypt for too long now. There are NO exploitable
security holes in neither dm-crypt nor cryptoloop. There is room for
improving both IV deducation schemes, but it's a theoretic weakness, one
which should be corrected nonetheless. However, modern ciphers are designed
to resist known-plaintext attacks. The default setup of loop-aes' initrd is
a greater threat to security, but wait for my paper on this. In the
meantime, stop spreading FUD, especially stop abusing the term "backdoored"!

Clemens

Attachment: pgp00000.pgp
Description: PGP signature