Thanks for everyone's feedback. I'll be taking a closer look at loop-aes and determining how to incorporate that into my article. I'll let you all know when the article is ready for publication, and if anyone is interested in proofreading it for corrections I'm open to that at that stage. Thanks, Tom On Tue, 2006-02-21 at 03:41 -0800, Phil H wrote: > Sorry to reply to my own post. Here is a reader comment from the > dmcrypt wiki - not sure to what extent these have been addressed: > > [QUOTE] > I'm looking over this dmcrypt stuff but it looks like it still has the > old bug of using the sector number as the IV for CBC mode encryption. > The security weakness is well known. The maintainers apparently > decided to keep the bug in place to help interoperability with legacy > cryptoloop instances. But I think at minimum, IV generation for new > installations should be done differently. There is no reason to > postpone adding a new mode that generates IV's by encrypting the > sector number or something like that. Keep the current method > available as a backwards compatibility option, but make the default do > things securely. > > Also, there's also the issue that the passphrase directly generates > the bulk encryption key. That means if you want to change passphrases, > you have to decrypt and re-encrypt the entire partition. That's > painful. It's better to generate a random bulk encryption key, and use > the passphrase to encrypt the bulk key on the disk (the first sector > could be used for such metadata). > > Finally, I think some work should be done on encrypting root > partitions WITHOUT needing to boot from an external USB device. > Basically just the master boot record (and maybe a little bit of GRUB) > would be in cleartext. It would prompt for a passphrase and decrypt > the remaining sectors needed to boot the machine. > [/QUOTE] > > > > ______________________________________________________________________ > Yahoo! Mail > Use Photomail to share photos without annoying attachments. Tom Haddon mailto:mthaddon@xxxxxxxxx Noise proves nothing. Often a hen who has merely laid an egg cackles as if she laid an asteroid. -- Mark Twain ----------------- Random quotes courtesy of fortune. - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
