[dm-crypt] Few questions from a new user

Arno Wagner arno at wagner.name
Fri Jan 10 15:31:03 CET 2014


On Fri, Jan 10, 2014 at 07:25:57 CET, Iggy wrote:
> Would you mind explaining hash-spec?  Meaning that there is no internal
> mechanism to use different hashes/detect which has was used on a given
> volume?
> 
> Thanks for your time!
> 
> -Iggy

(Follow-up to the list, because others may wonder this too, 
also correction, as I posted nonsense. Sorry about that.)

If you look at the header specification linked here:
  http://code.google.com/p/cryptsetup/wiki/Specification

in Figure 1 you find the cipher and mode for the actual disk 
encryption, and the "hash-spec" which is the hash-function 
used by PBKDF2. 

Sorry, I was confused yesterday, you can change the hash.
(I had just though about PBKDF2 which you cannot easily 
change to, say, scrypt...)

Now the thing is that while you can change SHA-1 to, say, 
SHA-512, the attacks on SHA-1 are preimage collisions, i.e. 
you can find two input values that hash to the same value. 
That means an attacker could possibly create a second 
passphrase for one he already knows in plain which is not 
useful and hence this vulnerability of SHA-1 has no effect. 
(Actually this even is harder, I am simplifying here...)

What these attacks are useful for is, for example, 
creating two certificates with different identities in 
them but the same hash. Then you can have one signed
by some authority, but use the otehr one with the different
identity in it as the auhority signs the hash, not the 
actual identity in the certificate. For MD5, this is
really easy. For SHA-1 it is just about becomming feasible.

But this is completely useless for reversing a hash
and that is what an attacker would need to do in LUKS.
And he would need to reverse an iterated hash, iterated,
e.g., 200'000 times on my test machine. Reversing a hash 
is usually only possible by brute-force, attacks that make 
this much easier require very serious flaws in the hash. 
There are no such attacks for SHA-1 that I am aware of, 
and certainly none for an iterated SHA-1. 

So changing the hash does not do anything, really as the
attacker can only try to brute-force the passphrase and
that takes the same effort for SHA-1 and for SHA-512.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare


More information about the dm-crypt mailing list