[dm-crypt] SHA-1 Freestart Collision: No, it does not break LUKS

Arno Wagner arno at wagner.name
Fri Oct 9 05:56:40 CEST 2015

Hi all,

just to prevent people from again comming in here and claiming
LUKS is insecure because it uses SHA1, or to have somethign handy 
to point them to:


This is about finding collisions. Like when you use SHA1
to hash a certificate and then sign that hash. A collision
there lets you modify the contents of a certificate in very 
limited fashion while keeping the signature intact.

Now, a collision means that at the very least you have one 
input and its hash-value and you are looking for a second
input producting the same hash value. Alternatively, you
want to create two inputs with the same hash-value,
but do not care what that value is.

Differently from that, in order to break LUKS, you have to 
generate an input for a known hash value. That is a _lot_ 
more difficult. And you have to do it for the hash being 
iterated 10'000 times (gives you the master-key from its 
checksum), when currently it is exceptionally hard (or 
rather still infeasible) to do it for one iteration. 
Iteration is also done with PBKDF2, which makes it even 
more hard as you cannot do it iteration-by-iteration.

So, no, the current LUKS defaults are _not_ broken because
of SHA1. They are unlikely to be broken because of SHA1 
in the next few decades and it is even possible that the 
use of SHA1 in LUKS will stay secure forever, because 
total available computing power in this universe is not 
actually that large.

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

More information about the dm-crypt mailing list