[dm-crypt] New Luks Format Specification (1.3)
arno at wagner.name
Wed Feb 1 09:19:42 CET 2012
On Wed, Feb 01, 2012 at 08:59:10AM +0100, Philipp Deppenwiese wrote:
> i am Zaolin from the German hackerspace "Das Labor".
Never heard of it, sorry.
> The last month I concentrated on how to change the luks specification to
> be state of the art. Up to now we still use SHA-1 as default algorithm
> for PBKDF2 in luks.
SHA-1 is not a security problem when used in this fashion.
> The next problem is the excessive use of parallel
> bruteforcing systems like ASIC, FPGA or GPUGPU technology. A new key
> derivation function is needed in order to raise the complexity of
> bruteforce attacks against the luks key derivation function.
No, it is not. At the very worst, a higher iteration count may
be needed, but that question involves a trade-off that is
regularly discussed here, see the mailing-list archives.
> If someone
> sends me the *.tex file of the luks specification, i will update and post
> it for review.
I doubt there is need for that. Please post your cryptoanalytic
results here, so that we can have a look. If you are trying
for a large-memory key-derivation function, please note that
a) this was discussed here recently (if I remember correctly,
I do remember that I was in some discussion about it and that
the large-memory property was doubtful at best) and that
b) it is unclear whether a large memory property, if
ensured, will even help.
Also note that against a determined or hogh-ressource attacker,
the only help is a high-entropy passphrase, as has been discussed
on this list several times and is clearly stated in the FAQ.
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell
More information about the dm-crypt