[dm-crypt] question regarding Sha1 and 512 bit key xts mode

Arno Wagner arno at wagner.name
Sun Aug 23 21:38:59 CEST 2015


On Sun, Aug 23, 2015 at 20:51:42 CEST, Sven Eschenberg wrote:
> On Sat, August 22, 2015 05:38, Heinz wrote:
> > Arno Wagner <arno at ...> writes:
> >
> >> No, that is not the statement. The statement is that collision attacks
> >> (the SHA1-weakness) are irrelevant for password hasing.
> >
> > Or in other words, SHA1 is secure in this case. But why not always use the
> > best possible hash algorithm, instead of an option which is at least safe?
> > I would logically use always the strongest one, purely as a precaution,
> > and
> > not what has already demonstrated weaknesses of any kind. I would not want
> > to wait if SHA1 really holds a long time. :)
> 
> Sorry to intervene here. Hashing in LUKS is only used to check if a
> password/passphrase is a candidate. So, even if you manage to find a
> collision, the worst that can happen is, that LUKS accepts the
> 'collisison' as valid key and you'll get gibberish on the mapping. Your
> encrypted data will be useless 'random' data and is not compromised then.

I seem to remember that PBKDF2 gets the hash discussed (SHA1) as input
and also that the AF splitter uses it. Still not an issue.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier


More information about the dm-crypt mailing list