a/cryptoproblem

Date:	Sat, 21 Nov 1998 00:37:45 -0600
From:	kernel@mallory.draper.net
To:	linux-kernel@vger.rutgers.edu
Subject: kerneli blowfish/twofish compromised?

Hi,

I suspect that the twofish and blowfish code, as contained in the
Linux International Kernel Crypto Patch *ONLY*, is compromised.

See: 
ftp://ftp.kerneli.org/pub/linux/kerneli/v2.1/patch-int-2.1.129.1.gz.

This is ** NOT ** an allegation that twofish and blowfish, developed
by Bruce Schneier, have problems.  I am sure that Bruce's reference code 
is fine.  Also please forgive my being off topic... many people on this 
list use these patches.

Background: Since Linus is hinting strongly that 2.2 is about to be
born, the time seems right to retrofit my own stuff into the new world.

While modifying the loop device driver to support an IV derived from
from the disk block number, and using twofish from the international 
patch as a code base, I checked the CBC ciphertext corresponding to
several hundred thousand bytes of plaintext zeros looking for repeating
patterns... (I am not a great cryptanalyst, on the other hand I hate to
build obviously broken code, so I check these things).

Repeating patterns did exist which is a very bad thing for CBC mode
code to do.  Thinking I have a bug I dig further...

Module loop_fish2.c function blockEncrypt_CBC at line #437 zeros
the IV (reverting to far less secure ECB mode, hmmm):
  if ( ( len & 0x1FF) == 0)
  {
     iv0=0;
     iv1=0;
     iv2=0;
     iv3=0;
  }

This accounts for the repeating patterns in ciphertext.  Now my 
confidence in the International Crypto Patch is shaken and I wonder
if blowfish also has problems.  More checking... blowfish from the 
patch appears to leak plaintext directly into ciphertext...

Module loop_blow.c function blowfish_cbc_encrypt at line #361:
  if (size & 0x000001FF)
  {
    memcpy(dst, src, size);
    return;
  }

Module loop_blow.c function blowfish_cbc_decrypt at line #420 recovers
the leaked plaintext.

I am requesting that another set of eyes take a look at blowfish and twofish
from the International Patch.  It is possible that I am going nuts having 
worked into the wee hours (again).  On the other hand, this does not look
like an accidental set of bugs; and if someone is leaking compromised crypto 
to the world then perhaps this needs to be, um, known.

Reed,

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/