[dm-crypt] plain: opening with a wrong password

dennis at basis.uklinux.net dennis at basis.uklinux.net
Sat Feb 7 18:27:48 CET 2015

On Fri, Feb 06, 2015 at 07:27:29PM +0100, Arno Wagner wrote:
> >(b) Assuming a secure passphrase, wouldn't plain mode be more
> > secure than luks against possible vulnerabilities in the hashing
> > algorithm that may be discovered in the future?
> No. First, plain mode also hashes. And second, basically all
> potential vulnerabilities of modern hash functions (collisions,
> reversing) do not apply to the use as pasword-hashing functions. 
> You can hash passwords with MD5 and be perfectly secure, while MD5
> is fully broken for things like signing.

Thank you for answering my questions. I take your point about
plausible deniability, but your remarks about hashing have raised
further questions for me. I had been given to understand that
passphrase hashing makes a dictionary attack more costly or time
consuming by forcing the attacker to evaluate the hash function for
each passphrase attempted, and I have just checked the FAQ for
confirmation. It would seem to follow that a hash algorithm
sufficiently prone to collisions would diminish security by not taking
full advantage of the available key space, possibly to the point of
making a well informed search of the key space more practical than a
dictionary attack. In the degenerate case of a totally stupid hash
algorithm that hashes every passphrase to exactly the same key, the
attacker need only try that particular key and not even evaluate the
hash function. In a less extreme case where the algorithm maps low
entropy passphrases to some keys with higher probability than others,
some of the attacker's work is done for him if he starts with the more
probable keys. My conclusion would have been that if the passphrase is
initially at least as secure as a random key, then hashing can never
increase security but may decrease it. If this is a misconception, can
you please correct it?

More information about the dm-crypt mailing list