Peter_22@xxxxxx wrote:
-------- Original-Nachricht --------
Datum: Fri, 26 May 2006 02:17:07 +0100 (BST)
Von: Christian Kujau <evil@xxxxxxxxxx>
An: linux-crypto@xxxxxxxxxxxx
Betreff: Re: Loop-AES and Twofish on 64-bit CPU
On Tue, 9 May 2006, Gisle Sælensminde wrote:
First I would like to mention that this is not likely to increase the
security in any way.
Wy not?
Thanks a lot for bailing me out:-) I did not know what to answer to Gisle Sælensminde. The outlook that a double layer of loop-aes could decrease security is rather shocking.
My questions and proposals never dealt with cipher analysis. I rather concentrate on things like a proper & easy to handle environment. Storing keys and tools on a usb-stick has nothing to do with strong ciphers but it is the ultimate opportunity to keep keys away from your attackers *and* encrypt all your data, not just larger parts.
As all ciphers can and will be broken I deem it important to look for alternatives on how to cover encryption. Where could the data be on a drive with no partition table? Where to start a brute force attack if there is no end and no beginning? Is it a successfull attack if you get encrypted data after you break the first layer of encryption?
I suppose and fear popular tools like truecrypt rely to much on buzzword compliant selfpromotion.
I still suppose double encryption and mixing up more than one cipher in deed does slow down attackers.
Cryptologists often use the term cryptosystem. A cryptosystem is all
parts of the system, including the ciphers, the digest functions, and
how the different parts are combined to get a system that is secure as a
whole, and this is more than just the security of the ciphers used. If
the ciphersystem has flaws, it can be broken, even though the ciphers it
uses are secure. In this case the cryptosystem is loop-aes and all the
software for handling keys etc. My point is that by introducing the
double layer of encryption, you change the cryptosystem. This means that
some of the analysis done on the single encryption system now are
invalid. This may actually introduce a possibility for an attack, for
instance it may introduce a weakness that let an attacker exploiting the
fact that the two ciphers use the same key or some other attack that you
could not imagine. Of cause the ciphers may be broken sometimes in
the future, but the ciphers are quite well analyzed, and if a cipher is
broken, you will probably know it quite
quickly. Then there is muck bigger chance that there is a flaw in the
design of loop-aes or in the scheme for adding a double layer of
encryption. The best thing to do to increase the security of the
loop-aes is probably to
sit down an analyze how the
In fact it is hard to get a ciphersystem right, and many big companies
that should have the resources to hire the best people in the field has
failed miserably. Examples of this is:
- Netscapes SSL implementation could be broken because they used a
random-generator that were not of cryptographic quality.
- With the SSL 2.0 protocol, an attacker could force the comunication to
use 40-bit keys, even both parties
supported 128-bit keys.
- The WEP protocol used the RC4 cipher the wrong way, by having a bad
scheme for seeding the user key used to derive the encryption key.
Firstly this introduced a possibility for a key reuse (which basicly
means that the system is broken when the cipher is a streamcipher). This
attack was later improved, using a newly discovered weakness in RC4.
This weakness in RC4 cannot be used to attack better designed systems.
My point with these examples, is that the whole cryptosystem must be
considered, not just the ciphers, and as mentioned above, more people
has analyzed AES than the loop-aes system, so I would be more worried
about how loop-aes is designed than the strength of the cipher. It would
be better to analyze the system all the way from user authentication
(typing passwords, usb-sticks etc) to how the blocks are encrypted, what
happens if part of a disk sector change etc.
An example of such an analysis of the Linux random device, can be found
at the URL below:
http://eprint.iacr.org/2006/086
Regards,
Peter
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
