A weak cryptoloop implementation in Linux?
Posted Jan 23, 2004 16:21 UTC (Fri) by spudbeach
Parent article: A weak cryptoloop implementation in Linux?
One other way around the problem is Cipher Block Chaining (CBC), where the output of each block is dependent on all prior blocks, as well as a randomly chosen initial vector (IV). That basically makes known plaintext / dictionary attacks such as this one useless, unless they are on the first block encrypted. All at very little cost to decrypt, too.
Oh, and should anybody not trust Juri, note that he has been the big guy in the loop-AES project for a couple of years, doing loop mounted crypto outside of the kernel. Yes, he does know what he's doing. And yes, I'm sticking with loop-AES, for at least a couple of years. [And BTW: loop-AES is by design free from this attack: rather than using a passphrase directly, a true random key is used, which is then encrypted with a passphrase -- hence, one more step between the passphrase and known plaintext.]
GPG key ID 7675D05E
to post comments)