[nycbug-talk] Re: Linux Cryptoloop

[Pete Wright]

Roland C. Dowdeswell wrote:

>On 1078437259 seconds since the Beginning of the UNIX epoch
>"G. Rosamond" wrote:
>  
>
>>Last night, Roland made reference to Linux's Cryptoloop.
>>
>>Apparently, it's been dropped.
>>
>>http://kerneltrap.org/node/view/2433
>>    
>>
>
>Okay, so in my paper I make a couple of assertions about cryptoloop
>such as it is vulnerable to offline dictionary attacks.  Apparently,
>I did read the code before I wrote that a couple of years ago.  It
>looks like Linux has a couple of additional crypto disks that I
>either missed or perhaps they've been written since then which do
>not have this vulnerability.
>
>A little more reading of cryptoloop and some of the posts surrounding
>it show that it is even less secure than OpenBSD's vnd+crypto device
>(which is also vulnerable to offline dictionary attacks) in that
>the IV that they choose is dependent only on the contents of the
>block which allows certain kinds of structural analysis to be
>performed.  Specifically mentioned in some of the posts there would
>be a `watermark attack' where an adversary can construct files such
>that he can detect if you have them.  E.g., the RIAA could construct
>mp3's and still find them on a cryptoloop disk.
>
>CGD has never had any such obvious weaknesses, and loop-AES, e.g.,
>looks like it has addressed all of these issues.
>
>--
>    Roland Dowdeswell			http://www.imrryr.org/~elric/
>_______________________________________________
>talk mailing list
>talk at lists.nycbug.org
>http://lists.nycbug.org/mailman/listinfo/talk
>  
>
roland how do you feel about dm-cryp then?

http://www.saout.de/misc/dm-crypt/

i know the linux kernel hackers always felt that crypto-loop was always 
a bad hack, at best.  from what i understand, which isn't much regarding 
crypt. honestly, dm-crypt is supposed to address many of the problems 
with crypto-loop.


-pete

-- 
~~~oO00Oo~~~
Pete Wright
pete at nomadlogic.org
www.nomadlogic.org/~pete