Mark Murray wrote:
> > Crypto construct-wise I don't think you can treat BF-CBC of a 256 bit
> > plaintext with a 256 bit key as a virtual 256 bit block cipher
> > operation.  I suspect the result will be weaker than 256 bits because
> > of the internal structure of BF-CBC.
> I'm not sure I understand this?

256-bit Davies-Meyer is considered secure if a blockcipher with a 
256-bit block is being used. Encrypting 256 bits in CBC mode is not 
the same as a blockcipher with a 256-bit block. For one, it will 
not obfuscate certain plaintext patterns. Consider what happens if
the first 64 bits of two plaintext blocks are equal...

Using the current construct allows for a variety of attacks on the 
compression function of the constructed hash. 

> > If you want 256 bit hash (and it is desirable for AES) you could use
> > what Jeroen suggested: abrest Davies-Meyer, and a 128 bit block
> > cipher.  Or we could wait for the AES hash mode.
> That is doable; 

But we don't have any 128-bit block blockciphers in the kernel?

> at the moment I only have SHA1, MD5, DES and Blowfish
> available in FreeBSD's kernel crypto API; I'd need a lot more evidence
> before I feen I can pull in any more :-)

You could argue that AES belongs in the kernel as soon as it is
selected. You could then go ahead and import Serpent now (as the 
most conservative possible choice of AES) with the comment that 
it will be replaced with the real AES later.

Waiting for the AES hash mode requires a lot of patience. I suspect
a 256-bit hash will accompany the next-generation DSA but that will
take at least a year or so...

In any case, the currently available building blocks are not 
sufficient and I doubt you will encounter much objections against
importing another cipher. Have you actually asked or is it more of
a perceived objection?

> > Twofish in abrest Davies-Meyer mode is going to blow away BF-CBC-256
> > pseudo 256 bit block cipher Davies-Meyer performance wise, because of
> > the key agility.

But Twofish is not neccessarily the best choice. Yes, it's being
pushed by Bruce Schneier but that's for marketing purposes, not
for technical merits. Iff you are going with a 128-bit-block 
blockcipher you ought to select the most conservative one and 
that currently isn't Twofish IMO.

> > The quality of the de-skewing function, conservative assumptions about
> > distribution of entropy across samples and conservativeness of the
> > entropy estimates don't help.  It's the yarrow output function which
> > blows it.
> Yeah; that monotonically-increasing counter bothers me slightly.

Why? How would it affect security if one assumes the blockcipher
is secure?

Jeroen C. van Gelderen          o      _     _         _
[EMAIL PROTECTED]  _o     /\_   _ \\o  (_)\__/o  (_)
                      _< \_   _>(_) (_)/<_    \_| \   _|/' \/
                     (_)>(_) (_)        (_)   (_)    (_)'  _\o_

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to