Date: Sat, 21 Nov 1998 00:37:45 -0600 From: kernel@mallory.draper.net To: linux-kernel@vger.rutgers.edu Subject: kerneli blowfish/twofish compromised? Hi, I suspect that the twofish and blowfish code, as contained in the Linux International Kernel Crypto Patch *ONLY*, is compromised. See: ftp://ftp.kerneli.org/pub/linux/kerneli/v2.1/patch-int-2.1.129.1.gz. This is ** NOT ** an allegation that twofish and blowfish, developed by Bruce Schneier, have problems. I am sure that Bruce's reference code is fine. Also please forgive my being off topic... many people on this list use these patches. Background: Since Linus is hinting strongly that 2.2 is about to be born, the time seems right to retrofit my own stuff into the new world. While modifying the loop device driver to support an IV derived from from the disk block number, and using twofish from the international patch as a code base, I checked the CBC ciphertext corresponding to several hundred thousand bytes of plaintext zeros looking for repeating patterns... (I am not a great cryptanalyst, on the other hand I hate to build obviously broken code, so I check these things). Repeating patterns did exist which is a very bad thing for CBC mode code to do. Thinking I have a bug I dig further... Module loop_fish2.c function blockEncrypt_CBC at line #437 zeros the IV (reverting to far less secure ECB mode, hmmm): if ( ( len & 0x1FF) == 0) { iv0=0; iv1=0; iv2=0; iv3=0; } This accounts for the repeating patterns in ciphertext. Now my confidence in the International Crypto Patch is shaken and I wonder if blowfish also has problems. More checking... blowfish from the patch appears to leak plaintext directly into ciphertext... Module loop_blow.c function blowfish_cbc_encrypt at line #361: if (size & 0x000001FF) { memcpy(dst, src, size); return; } Module loop_blow.c function blowfish_cbc_decrypt at line #420 recovers the leaked plaintext. I am requesting that another set of eyes take a look at blowfish and twofish from the International Patch. It is possible that I am going nuts having worked into the wee hours (again). On the other hand, this does not look like an accidental set of bugs; and if someone is leaking compromised crypto to the world then perhaps this needs to be, um, known. Reed, - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/