From: David Rochberg <rochberg+@cs.cmu.edu>
Date: Sun, 23 Jun 1996 17:20:34 +0800
To: ncognito@gate.net
Subject: Re: CFS Questions (protocol? safer/idea linkings?)
In-Reply-To: <+cmu.andrew.internet.cypherpunks+8ln8pS:00UfAQ10BJU@andrew.cmu.edu>
Message-ID: <9606230530.AA33018@GS84.SP.CS.CMU.EDU>
MIME-Version: 1.0
Content-Type: text/plain


ftp://research.att.com/dist/mab/cfs.ps is Blaze's CFS paper (which I
was silly not to read before my last post to cfs-users).  It should
answer many of your questions.

The answer to your "why so muany keys" question is that CFS uses two
keys per attachment (2 * 64 per hybrid-3DES instance * 2 instances =
256).  This is an attempt to foil structural analysis of the
files---under ECB mode alone, identical parts of the file will be
encrypted to identical ciphertext.

To encrypt data, CFS first XORs the data with a long (.5 Mbyte,
according to the paper) repeated psuedo-random mask.  The mask is
generated by running the cipher in OFB mode with one of the keys.

Then the result of the XOR is encrypted in ECB mode with the other
key.  (There's some other optional XORing that goes on as well---read
the paper).

The passphrase->key bit is based on SHS.  Take a look at new_pwcrunch
in getpass.c in your distribution.

					-david