Re: [PATCH] Delete cryptoloop
From: Fruhwirth Clemens
Date: Mon Jul 26 2004 - 18:02:56 EST
On Mon, 2004-07-26 at 20:11, Jari Ruusu wrote:
> Fruhwirth, what you have failed to understand is that the exploit does does
> not exploit flaws in any cipher, but cryptoloop's and dm-crypt's insecure
> use of those ciphers. Any block cipher that encrypts two identical plaintext
> blocks using same key and produces two identical ciphertext blocks will do.
> It is all about tricking a cipher to encrypt two identical plaintext blocks,
> which, after encryption will show up as two identical ciptext blocks. And
> those identical ciphertext blocks can be easily detected and counted.
Rusuu, you failed to understand that I not only understood your attack,
but also disregard it as minor imperfection (warning: personal opinion).
Reason:
This watermarking evidence can't be used at court, because it does not
reveal the content (at least not in my country!). Even if the
watermarking domain has a bigger cardinality than 32, I doubt the
practical implications.
However, if you haven't understood it already, one more time just for
you: I vote for changing the IV scheme, see my posting from 23.2.2004
[1]. But as you might not know (because you never contributed anything
substantial to the kernel): Kernel developers try to get things right,
and using CryptoAPI for hashing IVs results in some problems if one
wants to avoid reinitializing the context every call:
http://marc.theaimsgroup.com/?l=linux-kernel&m=107721067317841&w=2
[1] http://marc.theaimsgroup.com/?l=linux-kernel&m=107749648717666&w=2
--
Fruhwirth Clemens <clemens@xxxxxxxxxxxxx> http://clemens.endorphin.org
Attachment:
signature.asc
Description: This is a digitally signed message part