Re: Loop-AES and Twofish on 64-bit CPU

[Gisle Sælensminde <Gisle.Salensminde@xxxxxxxxxxx>]

Peter_22@xxxxxx wrote:

> > -------- Original-Nachricht --------
> > Datum: Mon, 29 May 2006 18:38:30 +0300
> > Von: Gisle Sælensminde wrote:
> >    
> >
> > > A first step could be to describe loop-aes and cryptoloop, like done for
> > > the random-device in the paper I linked to.
> > >      
>
> Fine that you do this analysis of the loop-aes crypto system right now...
>  
Hmmm....

> But as you already assumed, I am not a crypto analyst. So far I trust in the aes cipher, gpg and Jaris work. As the userbasis is rather small I suppose the FBI didn`t do a code analysis yet. Looks fine, doesn`t it?
> Sure, I can`t write C or assembler code. Of course I don`t try writting loop-aes clones. So far I animated Jari to include instructions for using usb-sticks to boot from. Loop-aes can be set up to boot the system with no partition table. So there remains nothing that could tell attackers that you are using loop-aes. What looks crypto analysis like when you don`t know which kind of system you attack? Maybe you assume that loop-aes is used? In this case you still don`t know partitions or offsets. And of course you don`t know how many layers of encryption I used. Maybe I used 4 loops for some part of some disk...
>
>  
A common principle in design of cryptosystems is to use Kerkhoff's 
principle, which is to assume that everything about your system is known 
by an attacker, except the key. They may for example have read this 
mailinglist ;-).
A comptent attacker would assume that a disk filled with randomness is 
encrypted, and then try to find clues of how the data is encrypted. 
Chances are that they will.

> Again, I agree with your concerns about how loop-aes is taylored. But you still missed to give reasons why setting up more than one loop device per partition decreases security. Mixing up things always leads to a higher degree of freedom and this will decrease chances for crypto analysis, too. Right?
>
>  
A direct answer to your question is that two layers of loopback 
encryption probably won't make your system less secure. On the other 
hand, it is not likely to make the system more secure either.

If you want to have two layers of loopback on top of your disk, fine. It 
will lower the performance and give more overhaed for the user (you) in 
terms of key handling. If you are motiveted, that is just fine (and you 
probably are). The cipher is likely to already be the strongest link in 
the chain, and it is always the weakest link that breaks first. While 
several layers of encryption may not decrease security, it unlikely to 
buy you any additional security either, and that is my point. If every 
part of the system is strong enough (thus there is no weak link) fine. 
The point of analyzing the system is to detect such weak links, and that 
is unlikely to be the cipher. One such weak link in earlier versions of 
loop-aes (and as far as I know, still in cryptoloop) was the way each 
block were encrypted, that allowed an attacker to see the the location 
of the first change in each disk block when it changed. In that case, it 
would not have helped with several loop devices or double encryption. 
While the seriousness of the attack can be argued about, it shows that 
several layers of encryption may not help if an attack is on a different 
part of the system.






-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/