Security Issues

• Cryptoloop is vulnerable to optimized dictionary attack

  • Most (if not all) fs have known plaintext (e.g. byte offset 0x600 – 0x60F: bits are 0)
    • dd if=/dev/hdaX bs=16 skip=96 count=1 \ 2> /dev/null | od -An -tx1 -
  • Most distributions use unsalted and uniterated passphrases which means a direct connection between passphrase and ciphertext
  • IV is predictible (related to block number)
  • Ciphertexts can be precomputed (dictionary)