http://www.onlamp.com/lpt/a/6384 Inside NetBSD's CGD by Federico Biancuzzi 12/21/2005
OpenBSD didn't import CGD even if Ted Unangst wrote a port some time ago. Do you think OpenBSD's svnd is already offering the same features? RD: In a sense, OpenBSD's svnd appears to offer some of the same features as CGD. Before I developed CGD, I examined svnd and determined that it has a number of deficiencies. The biggest drawback of svnd is its lack of security in the general use case. It is vulnerable to an offline dictionary attack. That is, you can generate a database mapping known ciphertext blocks on the disk back into pass phrases that can be accessed in O(1) without even being in possession of the disk. What's even worse is that the same database will work on any svnd disk. It is possible--and perhaps even likely--that large agencies such as the NSA have constructed such a database and can crack a majority of the svnds in the world in less than a second. The way that one prevents an offline dictionary attack is to use a salt in conjunction with the pass phrase, and this is what I did when I wrote CGD by using PKCS#5 PBKDF2. Offline dictionary attacks have been well-known since at least the '70s, and salting the pass phrase has been standard practice for over 30 years.