[dm-crypt] dmcrypt concern

Arno Wagner arno at wagner.name
Wed Mar 11 22:07:57 CET 2015


On Wed, Mar 11, 2015 at 21:42:56 CET, Sven Eschenberg wrote:
> I guess it is the typical misconception the OP fell for.
> 
> Tradional PW hashing works like: PW->hash->store digest (well hopefully
> the PW is salted a priori). So any collision will obviously yield a proper
> auth.

Yes, looks like it. But sha1 is not broken for hash-only collisions 
(i.e. "weak" reversing) at this time either. Not even MD5 is, AFAIK. 
So even with that, there would be no problem. Add to that that we are 
using iterated hashing, and any problem vanishes. LUKS is really
a very conservative design.
 
> In contrast, with LUKS the digest is used for key candidate verification.
> so key->hash->digest check. Check is positive, key is accepted, yet it
> will naturally give unuseable data instead of cleartext, as it is not the
> correct key.

Depends. It may stil be the correct one. But yes, the attack is 
more complicated as you need to find all collisions, not just one
and the value actually checked does not get any entropy-reduction
unlike the password case.

That is a far more difficult attack. In particular, if you use the 
current defaults, you have a 512 bit key in total. Even if SHA1
were fully reversible, it could not leak more than 160 bits
of entropy and hence you would still have something like 350 bits.
A more conservative estimate would say 80 bits of the key and 80
bits of the XTS "seed value" (forgot the name) would leak, hence
reducing key strength to 160 bit or the like. All quite secure
at this time. Even the absolute worst-case where sha1 would leak 
160 bits of the key and the XTS seed does not add any security 
would leave 96 bits of key intact and be secure at this time.

> 
> Wasn't there a section in the FAQ explaining this more thoroughly? Maybe
> the section is not 'foolproof' enough as this issue keeps recurring?

There is just one that says sha1 is not broken for the uses in LUKS.
As averybody has some variant of the possible misconceptions, I think
it is better to answer them individually. Maybe I will expand on
the FAQ item on SHA1 if the "sha1 is broken" messages get annoying.

Gr"usse,
Arno


> Regards
> 
> -Sven
> 
> 
> 
> On Wed, March 11, 2015 21:06, Arno Wagner wrote:
> > On Wed, Mar 11, 2015 at 20:16:09 CET, Martin, David K. wrote:
> >> I have a question about dmcrypt. If the MK digest is the output of SHA1,
> >> wouldn't the master key be the weakest point the the setup? SHA1 one
> >> only
> >> provide 80 bits of security and that can't be changed.
> >
> > First, sha1 provides 160 bits for the use at hand. Second, the
> > master key is derived from /dev/(u)random and as good as the platform
> > allows. And third, the MK digest is the result of 1000 iterations of
> > pbkdf2 with sha1.
> >
> > I do not follow your argument at all.
> >
> >> All an attacker have to do is seek a collision in SHA1 to get the master
> >> key..
> >
> > No. An attacker has to _reverse_ sha1, which is far, far harder.
> > Against reversing, SHA1 is secure at this time.
> >
> >> There would be absolutely no point in going after the password
> >> especially if you use a 512 bit hash like SHA512 or WHIRLPOOL. Those two
> >> provide 256 bits of security. The 80 bits of security for the master key
> >> is
> >> the weak point in the setup.
> >
> > Seriusly, they would _not_ be more secure. In fact, a longer hash
> > would possibly leak _more_ of the master key. As SHA1 has only
> > 160 bits, it could not leak more than 160 bits of a 256 bit or 512 bit
> > key. At the same time SHA512 could leak the full key.
> >
> >>
> >> Am I understanding that right?
> >
> > Sorry, but not at all. You should look again at what specific
> > scenarios SHA1 is broken for. The use in cryptsetup is not among
> > them. All breaks of sha1 at this time need at least to know one
> > input, but usually have to _selevt_ both inputs to sha1. In
> > cryptsetup for the MK hash, the unoyt is unknown to the attacker
> > and cannot be selected by the attacker either.
> >
> > Arno
> > --
> > Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
> > GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D
> > 9718
> > ----
> > A good decision is based on knowledge and not on numbers. -- Plato
> >
> > If it's in the news, don't worry about it.  The very definition of
> > "news" is "something that hardly ever happens." -- Bruce Schneier
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt at saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> >
> 
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier


More information about the dm-crypt mailing list