Re: [PATCH/proposal] dm-crypt: add digest-based iv generation mode

[Fruhwirth Clemens]

On Thu, Feb 19, 2004 at 06:02:32PM +0100, Christophe Saout wrote:
> since some people keep complaining that the IV generation mechanisms
> supplied in cryptoloop (and now dm-crypt) are insecure, which they
> somewhat are, I just hacked a small digest based IV generation mechanism.
> 
> It simply hashes the sector number and the key and uses it as IV.
> 
> You can specify the encryption mode as "cipher-digest" like aes-md5 or
> serpent-sha1 or some other combination.

I actually would prefer that cipher algorithm and cipher mode are seperated.
It's just a matter of personal taste that I'd like to stick things where I
think they belong. So imho it would be nicer to split this string into two
seperate: one for the cipher algorithm, the other for the mode of operation,
namely, "ecb" or "cbc-<ivmode>". 

> Consider this as a proposal, I'm not a crypto expert. Tell me if it
> contains other flaws that should be fixed.

No obvious flaws for me. I've already argued in private different IV mode,
but one more time for the public ;) : I embraced the principal of reusing
components in security systems instead of depending on a large number on
different subsystems. The only IV mode which can finally make sence for me
is the use of cipher algorithm as hash algorithm. This will keep the risk of
breakage of the system by the insecurity of one component to a minimum. A
pratical reason for using one algorithm is that just one algorithm has to be
optimized (f.e. assembler optimized or hardware offloading). I'd like to
submit a patch for this as soon as dm-crypt is merged. Andrew: any ideas if
this will happen soon?

> At least the "cryptoloop-exploit" Jari Ruusu posted doesn't work anymore.

"""exploit""".

Best Regards,
Clemens

Attachment: pgp00000.pgp
Description: PGP signature