Re: [PATCH] Delete cryptoloop

[Matt Mackall]

On Mon, Jul 26, 2004 at 02:45:26PM +0200, Fruhwirth Clemens wrote:
> To summarize for an innocent bystander:
> 
> - The attacks you brought forward are in the best case a starting point
> for known plain text attacks. Even DES is secure against this attack,
> since an attacker would need 2^47 chosen plain texts to break the cipher
> via differential cryptanalysis. (Table 12.14 Applied Cryptography,
> Schneier). First, the watermark attack can only distinguish 32
> watermarks. Second, you'd need a ~2.000.000 GB to store 2^47 chosen
> plain texts. Third, I'm talking about DES (designed 1977!), no chance
> against AES.

Here's a scenario: corrupt government agency secretly watermarks
incriminating documents. Brave whistleblower puts them on his laptop's
cryptoloop fs, but gets taken aside by customs agents on his way out
of the country. Agents check his disk for evidence of the watermark
and find enough evidence to assure that he's never seen again, without
even having to resort to rubber hose techniques.

Yes, the scenario is unlikely and I think it's _way_ overstating it to
call it an exploit. But it's still worth defending against. If we're
going to change disk formats, we should try to address it.

-- 
Mathematics is the supreme nostalgia of our time.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/