[dm-crypt] question regarding Sha1 and 512 bit key xts mode

Arno Wagner arno at wagner.name
Sun Aug 23 21:38:59 CEST 2015

On Sun, Aug 23, 2015 at 20:51:42 CEST, Sven Eschenberg wrote:
> On Sat, August 22, 2015 05:38, Heinz wrote:
> > Arno Wagner <arno at ...> writes:
> >
> >> No, that is not the statement. The statement is that collision attacks
> >> (the SHA1-weakness) are irrelevant for password hasing.
> >
> > Or in other words, SHA1 is secure in this case. But why not always use the
> > best possible hash algorithm, instead of an option which is at least safe?
> > I would logically use always the strongest one, purely as a precaution,
> > and
> > not what has already demonstrated weaknesses of any kind. I would not want
> > to wait if SHA1 really holds a long time. :)
> Sorry to intervene here. Hashing in LUKS is only used to check if a
> password/passphrase is a candidate. So, even if you manage to find a
> collision, the worst that can happen is, that LUKS accepts the
> 'collisison' as valid key and you'll get gibberish on the mapping. Your
> encrypted data will be useless 'random' data and is not compromised then.

I seem to remember that PBKDF2 gets the hash discussed (SHA1) as input
and also that the AF splitter uses it. Still not an issue.

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

More information about the dm-crypt mailing list