[dm-crypt] Purpose of mkDigest field in LUKS header

Carlo Contavalli ccontavalli at gmail.com
Tue Jan 28 18:35:19 CET 2014


Hello,

I was looking into the LUKS implementation for a crypto related project.

The field mkDigest in the LUKS header contains a PKDBF2 hash of the
volume key, which I believe is indirectly used to verify the user
passphrase.
Eg, if mkDigest on disk does not match PBKDF2 of volume key decrypted
with user passphrase, user passphrase is likely wrong.

Correct? Is there any other purpose to it?

Reason I'm asking: assuming that's the case, at passphrase insertion
time there are at least 2 PBKDF2 that need to be computed - one to
derive a key from the passphrase entered by the user, one to verify
that the volume key is correct. Both eat time and CPU.

If I was an attacker, though, I would not bother checking mkDigest at
all. I would probably just try the guessed key to decrypt a disk
block, and check for an ext4 or file system header, which I believe
would be trivial to do (cost of decrypting a block for each attempted
key, and look for common signatures).

So.. is that PBKDF2 necessary? could we replace it by, for example,
storing an encrypted one way hash of the volume key?

Eg, compute volume key, use it to decrypt a small chunk of data,
verify that the encrypted hash matches hash of volume key, without
iterations or time/cpu complexity.

My guess is that this would not significantly reduce the security of
something like LUKS and/or increase the attack surface.

Am I wrong? Did I miss anything I should be aware of?

Thanks,
Carlo


More information about the dm-crypt mailing list