Re: [PATCH] Delete cryptoloop
From: H. Peter Anvin
Date: Thu Jul 22 2004 - 09:18:10 EST
Followup to: <pan.2004.07.22.07.43.41.872460@xxxxxxxxxxxxxx>
By author: Matthias Urlichs <smurf@xxxxxxxxxxxxxx>
In newsgroup: linux.dev.kernel
>
> Hi, James Morris wrote:
>
> > It would be good if we could get some further review on the issue by an
> > independent, well known cryptographer.
>
> Well, I'm not, but ...
>
> AFAIK, the main issue is: If I write some data to the start of block N, I
> get a bit pattern. If I write the same data *anywhere* else (the middle of
> block N, the start of block M != N, a different on-disk bit pattern must
> result.
>
> If there are identical bit patterns, then the system is vulnerable.
> Obviously, this vulnerability doesn't depend on whether you're using
> cryptoloop or dm-crypt.
>
So does cryptoloop use a different IV for different blocks? The need
for the IV to be secret is different for different ciphers, but for
block ciphers the rule is that is must not repeat, and at least
according to some people must not be trivially predictable. One way
to do that is to use a secure hash of (key,block #) as the IV.
-hpa
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/