----- Original Message ----- From: "Peter Grandi" <pg_lcry@xxxxxxxxxxxxxxxxxxx> To: "Linux crypto" <linux-crypto@xxxxxxxxxxxx> Sent: Wednesday, June 09, 2004 6:03 PM Subject: Re: Loop-AES vs. PPDD > For example, consider among > several other obvious hints the lack of personal identification on your > email address, which might suggest to the cynical :-) a desire not to be > caught out soliciting ``assistance''. ------------------------------------------ I give my main email address (with my real name) only to friends. So far, I haven't found any scientific application of cryptography in medical science. ------------------------------------------ > It's not "bla bla", for me it is very the essence of the discussion. I > reckon that: --------------------------------------- the bla bla referred to the "automatically - necessarily". -------------------------------------- > tacron> Could you please answer the question? > > Sorry, my guess is that the question is pointless/unanswerable. [...] ----------------------------------------------- The "could you please answer the question" referred to 17 keys ppdd vs. 64 keys loop-aes. ------------------------------------------------ > Consider this argument, which is not necessarily good, but to me seems > to have some merit in some cases: having many keys, no matter whether 17 > or 64, means that probably they cannot be easily memorized. If they > cannot, they have to be stored _somewhere_, encrypted with a key that > has to be memorized (all this said with a particular but obvious family > of cryptosystem architectures in mind). > > Does this improve or reduce ``security'' whatever that is? It's not so > obvious, and may depend quite a bit on the threat model, because it > seems to me that it trades off some data crypto hazards for some key > management hazards. --------------------------------------------- I guess it improves. Even if you use 17 or 64 keys and not one for encrypting the sectors, you still have an incredibly large amount of data for statistical, differential or probabilistic attacks in the future. > > Maybe if you have a single not too complex key you can just hold it in > your head. Given that some plausible threat models are mostly about key > management mishaps, this might be more ``secure'' than storing the > vector of real encryption keys somewhere outside your head, and keeping > in your head just the passphrase with which you encrypt that. ------------------------------------------ Hmm, maybe you're getting something wrong here. Having more keys to encrypt the sectors seems to be better than just using one key or 17 or 64 keys. PHK (GBDE): "A salted MD5 hash over the sectoroffset "cherry-picks" which masterkey bytes participate in the MD5 hash which generates the "kkey" for each particular sector. The kkey AES/128/CBC encrypts the PRNG produced single-use key which AES/128/CBC encrypts the actual sector data." > > tacron> becomes only a problem when encrypting every sector with a > tacron> single key. > > This statement seems to me to be based on the assumption that what is > relevant is block size vs. *percentage* (100% vs. 5.9% or 1.5% or ..., > depending on the number of keys) instead of absolute quantity (and > likelyhood of known plaintext in it) of ciphertext potentially available > to an adversary. I also wonder if it wouldn't be more useful to worry > about key size instead of block size wrt to percentage or absolute > amount of ciphertext. ---------------------------------- No. it relates to "although the 64-bit block size is now considered too short, because encrypting more than 232 data blocks can begin to leak information about the plaintext" http://en.wikipedia.org/wiki/Blowfish_%28cipher%29 However, I don't know when this 2^32 (around 4 billion) blocks is reached. > > More generally, it seems to me that one of the challenges with disk > encryption schemes is the large amount, especially compared to many > other uses of encryption, of ciphertext produced with the same key > (and the high likelyhood some of it corresponds to known plaintext) > that might fall into the hands of the adversary. ------------------------------------ Absolutely right. ---------------------------------- > tacron> Really? "On 20010920 (Thu) at 1114:48 +0200, Allan Latham > tacron> wrote: [..] > > alatham> PPDD "scrambles" the whole of a 512 byte block before > alatham> encryption in such a way that the iv for this action is kept > alatham> secret in the same way as the encryption keys and that the > alatham> scrambling action diffuses a change in any one byte > alatham> throughout the block. > > My suspicions involve also a misreading of this sentence: to me it > states that the IV keys for whitening are kept secret _before_ > scrambling, "in the same way as the encryption keys" are kept secret, > which is described as follows: -------------------------------------- Agreed. ------------------------------------- else it's the attitude of a lazy guy that just wants to > make his term paper with minimum cut-and-paste effort. :-) ------------------------------------- Until now I didn't even know that I have to do a term-paper about loop-aes etc.:D Without you I'd have serious problems now! Where do I find relevant literature in medicine library? Anyway, thx for the funny discussion and maybe you'll get another Russian Referee :P best wishes, richard - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
