[dm-crypt] LUKS and backdoors

Arno Wagner arno at wagner.name
Sun Oct 20 03:25:51 CEST 2013

The simpel answer is "yes". But it would be hard or impossible 
to hide.

If the master-key is placed anywhere outside of the areas 
used by an uncompromised cryptsetup, this is glaringly obvious 
when looking at the on-disk format as all the unused areas are 
carefully zeroed in the current version.  

There is a second possibility though: There are some random 
fields in the LUKS header than could be used to leak key-data,
specifically the salts. This would work. It would also be 
impossible to find out without a source-code analysis of the 
tool that created the header.

Fortunately, cryptsetup is completely open and (unlike
TrueCrypt) easy to build yourself. It is also relatively 
easy to read. (Well, code is never easy to read, but if
you are specifically interested in the salt creation, you
can just follow that data-path.)

The recommendation here would be to not use any binary-only
tools to create LUKS headers.

As to TrueCrypt, building it is apparently very hard (needs some
old C-compiler from 1997?) and there are quite a few gaps and
errors in the documentation. My personal favorite hate-target
is their dishonesty about the effect of hidden containers,
see also Cryptsetup FAQ Items 5.2 and 5.18. 


On Sat, Oct 19, 2013 at 08:38:17PM -0400, .. ink .. wrote:
> There is a lot of commotion surrounding truecrypt's presence or lack of
> backdoors and there are calls for its source code to be audited[1]
> How the header is created and maintained seem to be the most obvious place
> to put a backdoor as discussed in the linked article.
> can the same be done with LUKS? can a propriety,closed source application
> be able to create a LUKS header in a way that will allow it to secretly put
> the master key "between gaps" in a header in a way that will still make the
> header fully functional and cryptsetup will be able to open it without any
> complains?
> [1]
> http://blog.cryptographyengineering.com/2013/10/lets-audit-truecrypt.html

> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

More information about the dm-crypt mailing list