FUD about CGD and GBDE

Poul-Henning Kamp phk at phk.freebsd.dk
Thu Mar 3 20:41:56 GMT 2005 

In message <20050303200005.GA21499 at panix.com>, Thor Lancelot Simon writes:
>On Thu, Mar 03, 2005 at 08:25:18PM +0100, Poul-Henning Kamp wrote:

>To quote David Hume, "Never an ought from an is."

I'm Danish by birth so english is only my second language, so I
apologize for mangling it.

>That "users" (who
>are they?  how many of them?  What criterion or criteria  of trust
>do they apply?) _did_ not trust X says precisely nothing about whether
>users _should_ not trust X.

<soapbox>

If there is one word I have come to detest, then "should" is at the
top of the list.  Voters _should_ vote based on intelligently informed
opinions.  Researchers _should_ report their findings uncolored by
personal bias.  Kids _should_ listen to their parents.  Somebody
_should_ fix this bug.

I increasingly associate "will not happen" when I read "should".

Let me twist it around:  How would the users know if they should or
should not trust something ?  They form their opinion based on the
information they have under the constraints they have.  And then,
more often than not, the remaining 30% is gut feeling.

When it comes to crypto gut feeling has about 70% of quorum.

The crypto establishment has a big problem communicating to the
rest of the world what their findings are in a way that makes this
information usable for people.  (IMO).

</soapbox>

>You seem to deny that there is a particular domain of expertise that is
>cryptography, or perhaps more rightly two domains, one being largely
>a subset of the other: how to design good cryptographic algorithms and
>how to use good cryptographic algorithms safely.

No I certainly don't.

I have personally the deepest respect and admiration for the craft.

I spent a lot of time before going into GBDE reading theory.
Interestingly again, the best book from a practitioners point of
view is written by an outsider in the crypto-clerigy.

I also spent a lot of time studying what was already available.

But in difference from everybody else (it seems) I also asked users
and administrators what they needed and wanted from a cryptographic
disk facility.

Interestingly I found that the users focus were very different from
the points which the crypto community emphasized.

And then I designed and wrote GBDE from that angle.

Despite what some people in this dicussion seems to belive, I did
not write GBDE using 1 iteration random-seed genetic programming.
A lot of thought and consideration went into it. 

I may not be a world renowned cryptographer, nor even claiming to
be one at all, but I am not totally without ability either.

I am fully aware of the arguments against complexity and I tried
very hard to simplify GBDE to the simplest possible algorithm while
maintaining the design goals fulfillment.  That is why there is no
journaling, no MAC, only a very simple level of positional hiding
and no heavy duty support for "plausible denial".

And then I tried very hard to engage somebody with the right
union-card to do a review for me, and despite the fact that funding
were available under the DARPA contract nobody would bite.

Lucky Green, on his own initiative contacted me because he heard
the rumour that I was working on something, and he convinced David
Wager to take a peek as well.  I am more grateful to them both than
my words can express.

They gave me a lot of sound advice and I tried my best to implement
according to it, but any blame for mistakes is entirely mine.

Now, if you could stop defending the cryptographers-local-64 union
and accept that non-union people might try to make the world a
better place by applying some of the craft in actual code, instead
of banning the code because an infidel wrote it, then you could
really help by giving said code a professional review.

It would be much appreciated if you did.

If you sit down and study GBDE, you will find that I have used all
the cryptographic algorithms in a conservative way and likely as
not, you will end up saying "overkill".  The users will call the
same "safety margin".

The truth is somewhere between, because the real world is shades
between dark white and light black.

>You call Roland's criticisms of GBDE "handwaving".

I have yet to see anything solid from him where he didn't overlook
something in his haste to prove his own product superior.

Poul-Henning

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

More information about the freebsd-hackers mailing list