FUD about CGD and GBDE

[Perry E. Metzger]

"Poul-Henning Kamp" <phk at phk.freebsd.dk> writes:
> I have a better idea: Why don't we get the cryptographers to
> show up at computer science conferences ?

They do. Perhaps you might want to listen to them.

I remember a certain talk at BSDCon where someone criticized the
design of the kernel RNG during the talk on it. He mentioned that the
person giving the presentation had stated a few inaccurate things,
such as claiming that there was a proof of security for Schneier's
Yarrow algorithm and a few other howlers. As I recall, he was
thoroughly criticized for mentioning these things. As I also recall,
when said person brought the topic up with a certain person named PHK,
he said "I don't want to hear about it."

>>1) No one claims that you need to be a cryptographer to write
>>   something like GBDE. What is being claimed is that you should not
>>   have invented your own cryptographic modes, and that you might have
>>   wanted to ask some professionals about your approach.
>
> You have not actually studied GBDE yet, right ?

I read your paper.

> You don't actually know if I invented my own "cryptographic modes"
> or not, do you ?

You did.

>>2) CGD *has* been looked at by a bunch of people, and was written to
>>   carefully use standard algorithms in a standard way. If you don't
>>   like using NetBSD code because NetBSD people have cooties, fine --
>>   I don't care, write your own. However, you should at least pay the
>>   same attention to conservative use of cryptographic algorithms and
>>   having people review your work is a good idea, too.
>
> Even if I were alone in the world with the sentiment, I would never
> call CGDs use of the same key for all sectors "conservative".

You are entitled to your opinion.

It is easy to break things in attempting to make them "more
secure". I'm reminded of inner-CBC 3DES. It is not obvious why inner
CBC would be a problem and outer CBC is not -- and yet inner CBC is a
problem.

Generally speaking, you are best off talking to someone who knows what
they are doing and asking them for help first rather than
inventing. The cryptography mailing list would be happy to discuss
anything you need ideas on. So would sci.crypt and other fora.

>>3) You've made some very bizarre claims about the security of your
>>   system. Some of these claims have already been shown on their face
>>   to be incorrect, such as your claimed work factor for breaking your
>>   new "improved" crypto modes.
>
> Sorry, they have only been disproved in a significantly larger universe
> than the one my users inhabit.  That doesn't count to me.

Being stubborn on this isn't going to help your users. The math is
pretty obvious here. Sure a brute force isn't practical -- but neither
is a brute force of AES-256. The point is if you are going to claim a
higher work factor than AES-256, you have to justify it, and if
someone points out an obvious flaw in your logic and shows the work
factor is lower than that for AES-256, the gentlemanly thing to do is
say "you are correct, I was mistaken."

>>   Instead, he admitted his mistakes and wrote a version 2.
>
> Any qualified, factually correct critique of GBDE will be taken very
> serious by me.  I am very much looking forward to it.  What Roland
> has provided is not it.

Roland's criticism is reasonable. Rather than getting angry, why don't
you consider it? You don't have to adopt CGD -- build something else
if you like. You could go off and try to discuss the algorithms you
are using openly and see what people in the field have to say. Being
openminded, by the way, includes not assuming in advance that having a
different key for every block is a good idea or similar things. It
means listening to the experts, and if you don't understand something,
learning what they know so you have an informed basis for comment.


-- 
Perry E. Metzger		perry at piermont.com