Re: [PATCH] Delete cryptoloop

From: David Wagner
Date: Wed Jul 28 2004 - 15:26:50 EST

Next message: Cesar Eduardo Barros: "Oops at radix_tree_delete"
Previous message: Dave Hansen: "Re: Use of __pa() with CONFIG_NONLINEAR"
In reply to: Bill Davidsen: "Re: [PATCH] Delete cryptoloop"
Next in thread: James Morris: "Re: [PATCH] Delete cryptoloop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

James Morris wrote:
>It would be good if we could get some further review on the issue by an
>independent, well known cryptographer.

I'd be glad to review it if someone can point me to a clear, concise
description of the scheme (trying to extract the spec from the code
is too much work for me).

M.J. Saarinen's attack seems to be real, if that's what you're asking
about. IV generation is important; if you choose IVs poorly, then you
can end up with some weaknesses even if the underlying block cipher is
perfectly fine. (I noticed that some posts from, e.g., Clemens were
confused about this point. If you use a great cipher in a bad mode of
operation, you can easily end up with an insecure system. The existence
of an attack against such a system is not in contradiction to the security
of the underlying block cipher against chosen plaintext attacks.)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Cesar Eduardo Barros: "Oops at radix_tree_delete"
Previous message: Dave Hansen: "Re: Use of __pa() with CONFIG_NONLINEAR"
In reply to: Bill Davidsen: "Re: [PATCH] Delete cryptoloop"
Next in thread: James Morris: "Re: [PATCH] Delete cryptoloop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]