[OpenAFS] packet sniffing and file content

[Ted Anderson]

On Fri, 13 Jul 2001 10:58:04 -0400 Jim Rees <rees@umich.edu> wrote:
> This is a concern.  OpenAFS uses an algorithm called fcrypt, designed
> in 1988 by Ted Anderson.  It is very similar to des but is designed to
> be faster in software.  It suffers both from a 56 bit key space and
> from a vulnerability to differential cryptanalysis, which was unknown
> to the open crypto community at the time.

Jim has this right.  I recently had a chance to write up what I knew, or
could recall, about fcrypt[1].

> I would like to see OpenAFS use something stronger.

Absolutely.

On 13 Jul 2001 10:17:25 -0400 Derek Atkins <warlord@MIT.EDU> wrote:
> "fs setcrypt on" on the client will turn on file encryption.  It
> only uses fcrypt(), which only provides token encryption, but
> it is better than cleartext.

I don't want to suggest that fcrypt() is great crypto, but until it can
be replaced, I don't think is helpful to minimize the actual protection
it provides.  It's short key size and vulnerability to differential
cryptography are largely theoretical.  Unless an attacker can bring to
bear significant resources (such as that required for a DES cracking
engine[2]), fcrypt is probably safe.  Certainly, fcrypt is not suitable
as the sole protection for high value targets.  It would add
considerable value, however, in protecting users' files that transit
unprotected network links.

Within an AFS cell, fcrypt has long been used to protect traffic between
kaserver and ptserver Ubik replicas, and between admin utilities such as
bos, pts, and kas and the corresponding servers.  If this dependence is
a concern, fcrypt's protection should be augmented by restricting these
communications to an isolated subnet which is likely to be free from
unauthorized packet sniffers.

Ted Anderson

[1] http://www.transarc.ibm.com/~ota/fcrypt-paper.txt
[2] http://www.eff.org/pub/Privacy/Crypto_misc/DESCracker/HTML/19980716_eff_descracker_pressrel.html