[dm-crypt] SHA-1 Freestart Collision: No, it does not break LUKS
arno at wagner.name
Fri Oct 9 05:56:40 CEST 2015
just to prevent people from again comming in here and claiming
LUKS is insecure because it uses SHA1, or to have somethign handy
to point them to:
This is about finding collisions. Like when you use SHA1
to hash a certificate and then sign that hash. A collision
there lets you modify the contents of a certificate in very
limited fashion while keeping the signature intact.
Now, a collision means that at the very least you have one
input and its hash-value and you are looking for a second
input producting the same hash value. Alternatively, you
want to create two inputs with the same hash-value,
but do not care what that value is.
Differently from that, in order to break LUKS, you have to
generate an input for a known hash value. That is a _lot_
more difficult. And you have to do it for the hash being
iterated 10'000 times (gives you the master-key from its
checksum), when currently it is exceptionally hard (or
rather still infeasible) to do it for one iteration.
Iteration is also done with PBKDF2, which makes it even
more hard as you cannot do it iteration-by-iteration.
So, no, the current LUKS defaults are _not_ broken because
of SHA1. They are unlikely to be broken because of SHA1
in the next few decades and it is even possible that the
use of SHA1 in LUKS will stay secure forever, because
total available computing power in this universe is not
actually that large.
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
More information about the dm-crypt