Re: RFC: backporting GEOM to the 4.x branch

["ALeine" <aleine@xxxxxxxxxxxxxxxx>]

df@xxxxxx wrote:

> Wouldn't be easier porting cgd* from NetBSD ?
>
> * http://www.netbsd.org/guide/en/chap-cgd.html

Perhaps, but I believe GBDE to be superior to CGD for a number
of reasons, one of the most important being that with GBDE you
can change the passphrase without re-encrypting the entire disk,
which is not the case with CGD, AFAIK. From Poul-Henning Kamp's
paper on GBDE:

http://phk.freebsd.dk/pubs/bsdcon-03.gbde.paper.pdf

  Several implementations have been produced which implement
  a disk encryption feature by running the user provided
  passphrase through a good quality one-way hash function
  and used the output as a key to encrypt all the sectors
  using a standard block cipher in CBC mode. A per sector IV
  for the encryption is typically derived from the passphrase
  and sector address using a one-way hash function. Two
  typical examples are [CGD] and [LOOPAES].

  Unfortunately this approach suffers from a number of
  significant drawbacks, both in terms of cryptographic
  strength and deployability.

  For data to stay protected for decades or even lifetimes,
  sufficient margin must exist not only for technological
  advances in brute force technology, but also for theoretical
  advances in cryptoanalytical attacks on the algorithms used.
  Protecting a modern disk, typically having a few hundred
  millions of sectors, with the same single 128 or 256 bits
  of key material offers an incredibly large amount of data
  for statistical, differential or probabilistic attacks in
  the future.

  Worse, because the sectors contain file system or database
  data and meta data which are optimised for speed, the
  plaintext sector data typically have both a high degree of
  structure and a high predictability, offering ample
  opportunities for statistical and known plaintext attacks.

  This author would certainly not trust data so protected
  to be kept secret for more than maybe five or ten years
  against a determined attacker.

  But far more damning to this method is that there can
  only be one single passphrase for the disk. This effectively
  rules out the ability for an organisation to implement any
  kind of per-user or multilevel key management scheme: the
  only possible scheme is ‘‘one key per disk’’.

  Add to this that to change the passphrase the entire disk
  would have to be decrypted and re-encrypted, and we
  have a model which may work in theory, and can be
  made to work in practice for a determined individual,
  but which would fast become an operational liability
  for any organisation.


ALeine

P.S.:    Please CC me when you reply, I am not subscribed.
___________________________________________________________________
WebMail FREE http://mail.austrosearch.net