[dm-crypt] Purpose of mkDigest field in LUKS header

Carlo Contavalli ccontavalli at gmail.com
Wed Jan 29 01:28:27 CET 2014

On Tue, Jan 28, 2014 at 12:15 PM, Arno Wagner <arno at wagner.name> wrote:
> On Tue, Jan 28, 2014 at 18:35:19 CET, Carlo Contavalli wrote:
>> Hello,
>> I was looking into the LUKS implementation for a crypto related project.
>> The field mkDigest in the LUKS header contains a PKDBF2 hash of the
>> volume key, which I believe is indirectly used to verify the user
>> passphrase.
>> Eg, if mkDigest on disk does not match PBKDF2 of volume key decrypted
>> with user passphrase, user passphrase is likely wrong.
>> Correct? Is there any other purpose to it?
>> Reason I'm asking: assuming that's the case, at passphrase insertion
>> time there are at least 2 PBKDF2 that need to be computed - one to
>> derive a key from the passphrase entered by the user, one to verify
>> that the volume key is correct. Both eat time and CPU.
>> If I was an attacker, though, I would not bother checking mkDigest at
>> all. I would probably just try the guessed key to decrypt a disk
>> block, and check for an ext4 or file system header, which I believe
>> would be trivial to do (cost of decrypting a block for each attempted
>> key, and look for common signatures).
>> So.. is that PBKDF2 necessary? could we replace it by, for example,
>> storing an encrypted one way hash of the volume key?
>> Eg, compute volume key, use it to decrypt a small chunk of data,
>> verify that the encrypted hash matches hash of volume key, without
>> iterations or time/cpu complexity.
>> My guess is that this would not significantly reduce the security of
>> something like LUKS and/or increase the attack surface.
>> Am I wrong? Did I miss anything I should be aware of?
> Yes. There is no reliable way to detect "decrypted" data. It
> is fundamentally impossible to do.

Not sure what the Yes refers to :)

But as per email, I was going to settle for decrypting some data, and
verifying result is as expected to make sure key is correct. Eg,
decrypt data, cleartext contains either a salted hash of the original
key, specific expected value, CCM/GCM decryption for that specific
block is passing verifications correctly, ... use some random other
method to report an error with high probability if the key is
incorrect, without actually using a PBKDF2.

> Also, the master key protected just by a simple has would
> be open to any "reversing" attack on the hash.

Agreed, that's also one of the reason I was planning not to expose a
hash of the key, but use one of the methods above.

> The second thing you missed is that this would break the LUKS
> header format, not a thing to do lightly and just for performance.

Sure, agreed!
As per email, I'm not planning to make any change to LUKS, this is
just to understand some of the design decisions for unrelated


More information about the dm-crypt mailing list