[nycbug-talk] Re: Linux Cryptoloop

Roland C. Dowdeswell elric
Fri Mar 5 14:45:18 EST 2004

On 1078437259 seconds since the Beginning of the UNIX epoch
"G. Rosamond" wrote:
>Last night, Roland made reference to Linux's Cryptoloop.
>Apparently, it's been dropped.

Okay, so in my paper I make a couple of assertions about cryptoloop
such as it is vulnerable to offline dictionary attacks.  Apparently,
I did read the code before I wrote that a couple of years ago.  It
looks like Linux has a couple of additional crypto disks that I
either missed or perhaps they've been written since then which do
not have this vulnerability.

A little more reading of cryptoloop and some of the posts surrounding
it show that it is even less secure than OpenBSD's vnd+crypto device
(which is also vulnerable to offline dictionary attacks) in that
the IV that they choose is dependent only on the contents of the
block which allows certain kinds of structural analysis to be
performed.  Specifically mentioned in some of the posts there would
be a `watermark attack' where an adversary can construct files such
that he can detect if you have them.  E.g., the RIAA could construct
mp3's and still find them on a cryptoloop disk.

CGD has never had any such obvious weaknesses, and loop-AES, e.g.,
looks like it has addressed all of these issues.

    Roland Dowdeswell			http://www.imrryr.org/~elric/

More information about the talk mailing list