[nycbug-talk] Re: Linux Cryptoloop

Pete Wright pete
Fri Mar 5 16:39:49 EST 2004

Roland C. Dowdeswell wrote:

>On 1078437259 seconds since the Beginning of the UNIX epoch
>"G. Rosamond" wrote:
>>Last night, Roland made reference to Linux's Cryptoloop.
>>Apparently, it's been dropped.
>Okay, so in my paper I make a couple of assertions about cryptoloop
>such as it is vulnerable to offline dictionary attacks.  Apparently,
>I did read the code before I wrote that a couple of years ago.  It
>looks like Linux has a couple of additional crypto disks that I
>either missed or perhaps they've been written since then which do
>not have this vulnerability.
>A little more reading of cryptoloop and some of the posts surrounding
>it show that it is even less secure than OpenBSD's vnd+crypto device
>(which is also vulnerable to offline dictionary attacks) in that
>the IV that they choose is dependent only on the contents of the
>block which allows certain kinds of structural analysis to be
>performed.  Specifically mentioned in some of the posts there would
>be a `watermark attack' where an adversary can construct files such
>that he can detect if you have them.  E.g., the RIAA could construct
>mp3's and still find them on a cryptoloop disk.
>CGD has never had any such obvious weaknesses, and loop-AES, e.g.,
>looks like it has addressed all of these issues.
>    Roland Dowdeswell			http://www.imrryr.org/~elric/
>talk mailing list
>talk at lists.nycbug.org
roland how do you feel about dm-cryp then?


i know the linux kernel hackers always felt that crypto-loop was always 
a bad hack, at best.  from what i understand, which isn't much regarding 
crypt. honestly, dm-crypt is supposed to address many of the problems 
with crypto-loop.


Pete Wright
pete at nomadlogic.org

More information about the talk mailing list