[dm-crypt] dmcrypt concern
sven at whgl.uni-frankfurt.de
Wed Mar 11 21:42:56 CET 2015
I guess it is the typical misconception the OP fell for.
Tradional PW hashing works like: PW->hash->store digest (well hopefully
the PW is salted a priori). So any collision will obviously yield a proper
In contrast, with LUKS the digest is used for key candidate verification.
so key->hash->digest check. Check is positive, key is accepted, yet it
will naturally give unuseable data instead of cleartext, as it is not the
Wasn't there a section in the FAQ explaining this more thoroughly? Maybe
the section is not 'foolproof' enough as this issue keeps recurring?
On Wed, March 11, 2015 21:06, Arno Wagner wrote:
> On Wed, Mar 11, 2015 at 20:16:09 CET, Martin, David K. wrote:
>> I have a question about dmcrypt. If the MK digest is the output of SHA1,
>> wouldn't the master key be the weakest point the the setup? SHA1 one
>> provide 80 bits of security and that can't be changed.
> First, sha1 provides 160 bits for the use at hand. Second, the
> master key is derived from /dev/(u)random and as good as the platform
> allows. And third, the MK digest is the result of 1000 iterations of
> pbkdf2 with sha1.
> I do not follow your argument at all.
>> All an attacker have to do is seek a collision in SHA1 to get the master
> No. An attacker has to _reverse_ sha1, which is far, far harder.
> Against reversing, SHA1 is secure at this time.
>> There would be absolutely no point in going after the password
>> especially if you use a 512 bit hash like SHA512 or WHIRLPOOL. Those two
>> provide 256 bits of security. The 80 bits of security for the master key
>> the weak point in the setup.
> Seriusly, they would _not_ be more secure. In fact, a longer hash
> would possibly leak _more_ of the master key. As SHA1 has only
> 160 bits, it could not leak more than 160 bits of a 256 bit or 512 bit
> key. At the same time SHA512 could leak the full key.
>> Am I understanding that right?
> Sorry, but not at all. You should look again at what specific
> scenarios SHA1 is broken for. The use in cryptsetup is not among
> them. All breaks of sha1 at this time need at least to know one
> input, but usually have to _selevt_ both inputs to sha1. In
> cryptsetup for the MK hash, the unoyt is unknown to the attacker
> and cannot be selected by the attacker either.
> Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
> GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D
> A good decision is based on knowledge and not on numbers. -- Plato
> If it's in the news, don't worry about it. The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> dm-crypt mailing list
> dm-crypt at saout.de
More information about the dm-crypt