>>> On Tue, 8 Jun 2004 11:25:00 +0200, "newbie" <tacron@xxxxxxx> said: tacron> hello, I'd like to know how Loop-AES (used with mulitkey mode, tacron> key stored on external media, root directory encrypted and tacron> booting from CD-ROM) and PPDD compare in terms of security. The questions you ask sound like homework, of the ``For the crypto course term paper, compare the following features of loop-AES, PPDD and CGD, and deliver your essays by the end of this week''. Part of the reason why I get this feeling is that the questions are absurdly detailed, really don't make much sense, and several are answered just by reading the relevant documentation: the sort of things that are given as homework questions and some people are too lazy to find the answers themselves, not the sort of questions one would ask out of a genuine desire to understand the issues. tacron> In the PPDD documentation, [ ... ] So, is the key actually tacron> stored on disk? The source to PPDDD seems to be available... Also, the article at http://Koeln.CCC.DE/archiv/drt/crypto/ppdd.Specification.txt seems to me very clear whether the master key is stored on the disk, a bit further down the part you quote. tacron> Furthermore, PPDD seems to use 17 randomly generated keys, tacron> Loop-AES uses 64 AES keys to encrypt/decrypt sectors. Does this tacron> automatically mean that Loop-AES is more secure concerning this tacron> point? "automatically mean" is a meaningless sequence of words. Perhaps that should have been written "necessarily mean", but if so then it is still pretty pointless because ``security'' is a matter of judgement, not logical necessity. Also, and more importantly, any question like "more secure" at this level of detail is ridiculous without a detailed threat model and lots of pretty formal work, or a team of professional cryptanalists checking it out. tacron> Both PPDD and Loop-AES(gpg) seem to use /dev/urandom or tacron> /dev/random. Now, if I want to use another (CS)PRNG, I could use tacron> it only with Loop-AES? Given that the sources to both PPDD and loop-AES are open, you can always modify either to use any random generator. As the sources are open, it is also pretty easy to figure out that at least loop-AES (the device driver) does not use any random number generator. tacron> Loop-AES has the option for password seeding and key iteration tacron> count to slow down dictionary attacks. Do you know whether PPDD tacron> has a similar protection? The source is indeed available, and also I think that the article mentioned above has a very clear description of PPDD, and whether it uses seeding at any point and for what (simple hint: search for the word "seed" in that article). tacron> I speculate that PPDD has no significant problems with using tacron> Blowfish and the 64bit blocksize because this becomes only a tacron> problem when encrypting every sector with a single key. Good for you that you enjoy speculating about such matters. tacron> PPDD uses this whitening process, to keep the IVs secret. Is tacron> there any match in Loop-AES? I suspect that the purpose of whitening in PPDD is not really about keeping the IVs secret. As the article on PPDD says: «The data in the block is spread evenly throughout the block by a process known as whitening.» Further on there is a clear description of how/whether whitening is related to the IVs (of which there seem to be two sets...). Doing a web search for "PPDD whitening" will return a link to a discussion (in the archives of this mailing list...) of why ensuring that "data in the block is spread evenly" might be useful. Oh well, let's indulge your lazyness with this link: http://mail.NL.Linux.org/linux-crypto/2003-05/msg00079.html tacron> Dowdeswell/Ioannidis remark that only their cgd uses a secure tacron> key generation method (pkcs#5 pbkdf2) and the other approaches tacron> (including loop-aes) use a simpler hash transform. Does that really include loop-AES? In the CGD paper they say that their method seems preferable because it uses salt and iterations. Have you read the loop-AES documentation for any recent release of loop-AES? tacron> How important is that drawback? Is it a drawback? Compared to what? Under which threat model? tacron> Maybe these questions are already redundant because PPDD seems tacron> to be abandoned. Anyways, if some of you find the time I would tacron> be thankful for any hint and things I missed here. [ ... ] It would have been nice if you had found the time to read _carefully_ the paper that describes PPDD, the loop-AES documentation, and the sources, and some web discussions about these subjects... - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
