Re: GELI - disk encryption for FreeBSD - review request.

From: Andrew Swallow (am.swallow_at_btopenworld.com)
Date: 07/29/05 

Date: Fri, 29 Jul 2005 18:58:30 +0000 (UTC)

David Eather wrote:

> Andrew Swallow wrote:
>
>> Joseph Ashwood wrote:
>>
>>> "Andrew Swallow" <am.swallow@btopenworld.com> wrote in message
>>> news:dc9ciu$11k$1@nwrdmz03.dmz.ncs.ea.ibs-infra.bt.com...
>>> [Joe assumes the discussion is around CTR mode]
>>>
>>>> As well as the write count can we add a random field? And
>>>> how big? To permit decryption the value will have to be
>>>> stored on the disk.
>>>>
>>>> For software implementations the random value could be
>>>> generated by AES in CRT mode with the IV set to the time
>>>> and date using a second key variable. For hardware
>>>> encryption implementations the output from a true random
>>>> number generator built into the disk controller electronics.
>>>
>>>
>>>
>>>
>>> Even after giving it portions of a day's thoughts I can't see a break
>>> in it, as long as the random number is of sufficient size, by
>>> sufficient I mean sufficient enough to make waiting for a collision
>>> in the generated IVs as at least the 2^64 limit, so based on the
>>> considerations I've discussed previously 24-bits should be
>>> sufficient. Although I would suggest using entropy collection instead
>>> of AES encypted time since mark, just because it cleans things up a
>>> bit on the front shouldn't make much if any difference.
>>>
>>
>> Entropy collection quickly runs into practical problems.
>> For a disk being written to 50 times a second
>> 50 * 24 = 1200 bits of entropy per second.
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Um, a sound card and noise source will easily provide that rate of
> entropy. I don't understand why it is always seen as a problem. As
> an aside I am working on a pic based TRNG that should be sending out
> about 1000 or so bits of entropy per second via RS-232. The pick
> even has time to check for possible failure modes (bit frequency, a
> modified poker test (will also pick up long runs of 1's 0's or other
> 8-bit pattern) and other precautions deal with auto-correlations).
> It's not that complicated.

This is alright if you have a sound card with an unused
channel. Unfortunately on most machines either the computer
does not have a sound card or all the channels are being used.
There is a hidden assumption that software encryption should
not require additional hardware.

Andrew Swallow