On Sat, 27 Jan 2007, Don Smith wrote: > On the newer versions of OpenBSD, there is -K added as > an option for SVND. > > I always used the -k option with a strong key and no > salt file. > > Is the original -k method still secure, given a strong key?
No. But that's hearsay. Here's what I heard someone say: "The biggest drawback of svnd is its lack of security in the general use case. It is vulnerable to an offline dictionary attack. That is, you can generate a database mapping known ciphertext blocks on the disk back into pass phrases that can be accessed in O(1) without even being in possession of the disk. What's even worse is that the same database will work on any svnd disk. It is possible--and perhaps even likely--that large agencies such as the NSA have constructed such a database and can crack a majority of the svnds in the world in less than a second. The way that one prevents an offline dictionary attack is to use a salt in conjunction with the pass phrase," Source: http://www.onlamp.com/pub/a/bsd/2005/12/21/netbsd_cgd.html?page=3 Disclaimer: I am not a cryptanalyst. Maybe that's all FUD and blown smoke. Advice: Use the salt. How can it hurt? It depends on your threat model. If it's a laptop and you don't want some random thief or whoever he sells your stolen property to to read your disk, -k will suffice. If you're worried about a large government, there are still other considerations (rubber hoses for one), but the salt won't hurt. If I recall the source code correctly, using -k, you are already using salt -- of zero. The salt is used when generating the key from the passphrase, and won't slow down the actual disk en/decryption, so salt is a win. Dave -- The law has converted plunder into a right and lawful defense into a crime. -- Frederic Bastiat, 1850
