Re: [PATCH] Delete cryptoloop
From: Thomas Habets
Date: Fri Jul 23 2004 - 06:06:41 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So in addition to making sure that everything on your systems works when
switching from 2.4 to 2.6, we now have to hope that working APIs don't change
(or disappear) in an incompatible way between minor versions? Is that right?
Is there some kind of hidden motive behind this? For example, does the
presence of cryptoloop force some other ugly part of the kernel to be in a
certain way? If cryptoloop is removed, will you think "finally, I can change
this other old crappy code"?
I will move to dm-crypt eventually if it's so much better, but cryptoloop
works in practice *now* (mount knows about it etc..).
James Morris said:
>Part of the reason for dropping cryptoloop is to help dm-crypt mature more
>quickly.
Reminds me of the futurama quote:
Fry: "Now that you mention it, I do have trouble breathing underwater
sometimes. I'll take the gills."
Man: "Yes, gills. Then you don't need lungs anymore, is right?"
Fry: "Can't imagine why I would."
Man: "Lie down on table. I take lungs now, gills come next week."
(except that, well, lungs are better in both the short and long run for most
humans, while dm-crypt may be better in the long run for secret things)
And I can't say I really see what's so horrible about cryptoloop. Dictionary
attack being possible? Uhm, yeah, I kind of assumed that from the beginning.
And I don't see how *any* mishandling of IV can matter to me. The block
crypto (AES in this case) should have been (and I assume is) designed against
all kinds of chosen-plaintext, chosen-ciphertext, differential cryptanalysis,
etc... This *will* stop every offline attack from everyone who's interested
in my data. In the actual real world. (If this assertion is wrong, I'd
*really* like to know about it. But everything I've read on the insecurity of
cryptoloop has convinced me that this is the case.[0])
If dm-crypt fixes some things, that's good. Now make it practical. And I'm
growing old, I fear changes, I need time to adjust. I'm scared, where am I?
Also, being able to boot 2.4 and still have a compatible cryptoloop is nice
while moving everything to 2.6. (and when everything is 2.6-perfect, one can
switch to dm-crypt).
Mark it deprecated? Sure, whatever. But don't take away my cryptoloop!
from http://seclists.org/lists/linux-kernel/2004/Mar/0719.html:
>Sequential IV's aren't a good choice with CBC -- they can leak a little
>bit of information about the first block of plaintext, in some cases.
Ah, this is interesting. The way I'm reading it this could only leak some
"information" about maybe my superblock.
If this is what cryptoloop uses then it's bad. Still, it's not big-red-switch
bad, just "try to find the time to switch this year" bad. At least for me.
[0] I'd be interested in both if non-NSA kan read it and if NSA is actually
interested in my data. If you know of either, tell me. :-)
- ---------
typedef struct me_s {
char name[] = { "Thomas Habets" };
char email[] = { "thomas@xxxxxxxxxxxx" };
char kernel[] = { "Linux 2.4" };
char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" };
char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" };
char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBAO+WKGrpCq1I6FQRAn/SAKCyx20hCdEGzY58ZQeocIScDTk73QCeI+gq
ZZn1/PFtwOwldIZ9Xm8ekvY=
=kKqs
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/