[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Loop-AES and Twofish on 64-bit CPU

To: Peter_22@xxxxxx
Subject: Re: Loop-AES and Twofish on 64-bit CPU
From: Gisle Sælensminde <Gisle.Salensminde@xxxxxxxxxxx>
Date: Sun, 28 May 2006 15:05:14 +0200
Cc: Christian Kujau <evil@xxxxxxxxxx>, linux-crypto@xxxxxxxxxxxx
In-reply-to: <20060526210805.179940@gmx.net>
List-archive: <http://mail.nl.linux.org/linux-crypto/>
List-help: <mailto:ecartis@nl.linux.org?Subject=help>
List-id: <linux-crypto.nl.linux.org>
List-owner: <mailto:ecartis-owner@nl.linux.org>
List-post: <mailto:linux-crypto@nl.linux.org>
List-software: Ecartis version 1.0.0
List-subscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=unsubscribe>
References: <20060507213257.GA1238@dantooine> <4536.1147116034@www013.gmx.net> <446067A8.3040501@cbu.uib.no> <Pine.NEB.4.64.0605260211430.8433@vaio.testbed.de> <20060526210805.179940@gmx.net>
Sender: linux-crypto-bounce@xxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.7 (Macintosh/20050923)

Peter_22@xxxxxx wrote:

-------- Original-Nachricht --------
Datum: Fri, 26 May 2006 02:17:07 +0100 (BST)
Von: Christian Kujau <evil@xxxxxxxxxx>
An: linux-crypto@xxxxxxxxxxxx
Betreff: Re: Loop-AES and Twofish on 64-bit CPU
On Tue, 9 May 2006, Gisle Sælensminde wrote:

First I would like to mention that this is not likely to increase the security in any way.

Wy not?


Thanks a lot for bailing me out:-) I did not know what to answer to Gisle Sælensminde. The outlook that a double layer of loop-aes could decrease security is rather shocking.
My questions and proposals never dealt with cipher analysis. I rather concentrate on things like a proper & easy to handle environment. Storing keys and tools on a usb-stick has nothing to do with strong ciphers but it is the ultimate opportunity to keep keys away from your attackers *and* encrypt all your data, not just larger parts.
As all ciphers can and will be broken I deem it important to look for alternatives on how to cover encryption. Where could the data be on a drive with no partition table? Where to start a brute force attack if there is no  end and no beginning? Is it a successfull attack if you get encrypted data after you break the first layer of encryption?
I suppose and fear popular tools like truecrypt rely to much on buzzword compliant selfpromotion.
I still suppose double encryption and mixing up more than one cipher in deed does slow down attackers.

Cryptologists often use the term cryptosystem. A cryptosystem is all parts of the system, including the ciphers, the digest functions, and how the different parts are combined to get a system that is secure as a whole, and this is more than just the security of the ciphers used. If the ciphersystem has flaws, it can be broken, even though the ciphers it uses are secure. In this case the cryptosystem is loop-aes and all the software for handling keys etc. My point is that by introducing the double layer of encryption, you change the cryptosystem. This means that some of the analysis done on the single encryption system now are invalid. This may actually introduce a possibility for an attack, for instance it may introduce a weakness that let an attacker exploiting the fact that the two ciphers use the same key or some other attack that you could not imagine. Of cause the ciphers may be broken sometimes in the future, but the ciphers are quite well analyzed, and if a cipher is broken, you will probably know it quite quickly. Then there is muck bigger chance that there is a flaw in the design of loop-aes or in the scheme for adding a double layer of encryption. The best thing to do to increase the security of the loop-aes is probably to sit down an analyze how the

In fact it is hard to get a ciphersystem right, and many big companies that should have the resources to hire the best people in the field has failed miserably. Examples of this is:

- Netscapes SSL implementation could be broken because they used a random-generator that were not of cryptographic quality.

- With the SSL 2.0 protocol, an attacker could force the comunication to use 40-bit keys, even both parties supported 128-bit keys.

- The WEP protocol used the RC4 cipher the wrong way, by having a bad scheme for seeding the user key used to derive the encryption key. Firstly this introduced a possibility for a key reuse (which basicly means that the system is broken when the cipher is a streamcipher). This attack was later improved, using a newly discovered weakness in RC4. This weakness in RC4 cannot be used to attack better designed systems.

My point with these examples, is that the whole cryptosystem must be considered, not just the ciphers, and as mentioned above, more people has analyzed AES than the loop-aes system, so I would be more worried about how loop-aes is designed than the strength of the cipher. It would be better to analyze the system all the way from user authentication (typing passwords, usb-sticks etc) to how the blocks are encrypted, what happens if part of a disk sector change etc.

An example of such an analysis of the Linux random device, can be found at the URL below:

http://eprint.iacr.org/2006/086

Regards,
Peter

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

Follow-Ups:
- Re: Loop-AES and Twofish on 64-bit CPU
  - From: Christian Kujau

References:
- Re: Loop-AES and Twofish on 64-bit CPU
  - From: markus reichelt
- Re: Loop-AES and Twofish on 64-bit CPU
  - From: Peter_22
- Re: Loop-AES and Twofish on 64-bit CPU
  - From: Gisle Sælensminde
- Re: Loop-AES and Twofish on 64-bit CPU
  - From: Christian Kujau
- Re: Re: Loop-AES and Twofish on 64-bit CPU
  - From: Peter_22

Prev by Date: Re: Getting real slow performance
Next by Date: Re: Loop-AES and Twofish on 64-bit CPU
Previous by thread: Re: Re: Loop-AES and Twofish on 64-bit CPU
Next by thread: Re: Loop-AES and Twofish on 64-bit CPU
Index(es):
- Date
- Thread