Re: More info in my AES128-CBC question

2007-04-26 Thread Allen
Aram Perez wrote: Another response was you haven't heard of anyone breaking SD cards have you? I love responses like this. In the physical world there are the examples of the Kyptonite lock and the Master Combination lock. By the time you hear about the methodology of the attack someone

Re: More info in my AES128-CBC question

2007-04-26 Thread Travis H.
On Wed, Apr 25, 2007 at 05:42:44PM -0500, Nicolas Williams wrote: A confounder is an extra block of random plaintext that is prepended to a message prior to encryption with a block cipher in CBC (or CTS) mode; the resulting extra block of ciphertext must also be sent to the peer. Not true.

Why CBC? What is wrong with n-bit CFB?

2007-04-26 Thread Travis H.
I've always wondered this about the lesser-used modes. What's special about CBC? With CFB in particular, I think 8-bit CFB is stupid (one full block encryption per byte processed - rather computationally expensive), but n-bit CFB seems just as useful as CBC, if not more so. Specifically, I can

truncating MACs for confidentiality, was Re: Public key encrypt-then-sign or sign-then-encrypt?

2007-04-26 Thread Travis H.
One more thing to consider; if you pick a reasonable MAC with twice the security factor you need, then truncate the output to half the size, I believe you get both confidentiality and integrity/authentication guarantees of the desired strength. -- Kill dash nine, and its no more CPU time, kill

Re: open source disk crypto update

2007-04-26 Thread David Malone
On Wed, Apr 25, 2007 at 03:32:43PM -0500, Travis H. wrote: I think a simple evolution would be to make /boot and/or /root on removable media (e.g. CD-ROM or USB drive) so that one could take it with you. Marc Schiesser gave a tutorial at EuroBSDcon 2005 on encrypting the whole hard drive on

Re: More info in my AES128-CBC question

2007-04-26 Thread Alexander Klimov
On Wed, 25 Apr 2007, Hagai Bar-El wrote: It seems as Aram uses a different IV for each message encrypted with CBC. I am not sure I see a requirement for randomness here. As far as I can tell, this IV can be a simple index number or something as predictable, as long as it does not repeat within

Re: open source disk crypto update

2007-04-26 Thread Alexander Klimov
On Wed, 25 Apr 2007, Travis H. wrote: Just recently I discovered Debian default installs now support encrypted root (/boot still needs to be decrypted). Presumably we are moving back the end of the attack surface; with encrypted root, one must attack /boot or the BIOS. What is the limit?