[dm-crypt] Crack a dm-LUKS partition or harddisk

[dm-crypt] Crack a dm-LUKS partition or harddisk

[Si St]

Question:
Say we have a dm/LUKS encrypted partition or harddisk. - Do we have a crack-password-delay-mechanism as a part of the encryption, or is this a feature of the software of the OS?

I I have understood that with the very rapid crackingspeed (brute-force) we have nowadays, the new approach to this is to force in a delay for each password enter, as a tool of increased security. Is this feature a block independent software, or is it only a software program of the booted OS?

If so, attacking the harddisk directly independent of the booted OS will pass this feature.

(Have I made myself clear?)

-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com

Powered by Outblaze

Re: [dm-crypt] Crack a dm-LUKS partition or harddisk

[Sven Eschenberg]

The passphrase is iterated (with some sort of key derivation algorithm) 
as far as I understand it.

Usually you can modify the amount of time in ms during keyslot creation 
which is spent in doing iterations.

If you assume you can do n Iterations in 1 second, and some other 
machine can do 10 times n iterations, then machine two would spend 
(approx) 1/10 second per passphrase (password) test.

But this is only of relevance, where the passphrase universe << key 
universe - Meaning, when the entropy of your passphrase is bigger than 
the keyspace, it doesn't matter, since you'd try cracking the actualy 
key within the keyspace.

Regards

-Sven


Si St schrieb:
> Question:
> Say we have a dm/LUKS encrypted partition or harddisk. - Do we have a crack-password-delay-mechanism as a part of the encryption, or is this a feature of the software of the OS?
> 
> I I have understood that with the very rapid crackingspeed (brute-force) we have nowadays, the new approach to this is to force in a delay for each password enter, as a tool of increased security. Is this feature a block independent software, or is it only a software program of the booted OS?
> 
> If so, attacking the harddisk directly independent of the booted OS will pass this feature.
> 
> (Have I made myself clear?)
> 

Re: [dm-crypt] Crack a dm-LUKS partition or harddisk

[Heinz Diehl]

On 04.11.2009, Si St wrote: 

> Do we have a crack-password-delay-mechanism as a part of the encryption

See the option "--iter-time" in the cryptsetup manual, and look for
"iteration count" related to PBKDF2.

Re: [dm-crypt] Crack a dm-LUKS partition or harddisk

[Arno Wagner]

On Wed, Nov 04, 2009 at 05:51:59PM +0100, Si St wrote:
> Question:
>
> Say we have a dm/LUKS encrypted partition or harddisk. - Do we have a
> crack-password-delay-mechanism as a part of the encryption, or is this a
> feature of the software of the OS?
> 
> I have understood that with the very rapid crackingspeed (brute-force)
> we have nowadays, the new approach to this is to force in a delay for each
> password enter, as a tool of increased security. Is this feature a block
> independent software, or is it only a software program of the booted OS?
>
> If so, attacking the harddisk directly independent of the booted OS will
> pass this feature.
> 

I guess this is in response to a recent slashdot article pointing
to some people that have cracked a PGP encrupted zip file using
Amazon EC2. 

Forst, this is only relevant if you have low entropy in your
passphrase. An exapmple would ba an [a-z] 8 char passphrase, which
has (if it is random) about 37.6 bits of entropy. This is of course
far less than a 128 bit or 256 bit key and in a brute force attack
it may be beneficial to run though all possible passphrases instead of
through all possible keys.

LUKS uses PBKDF2, which is specifically designed to be resilient
in case such low-entropy passwords are used. The hash is SHA-1
(the recent discoverd weaknesses do not matter for this application)
and it determined by a benchmark system, which basically benchmarks
PBKDF2 and then uses the number of iterations that give a specific
checking time. As fas as I can tell, the LUKS spec does not give a 
default.

cryptsetup 1.0.6 (the version in Debian Stable) seems to use
a default value of 1 sec (line 28 in src/cryptsetup.c:
static int opt_iteration_time = 1000;). 

Incidentially this gives a cost > 10 Billion USD for 
Amazon EC2 if the key setup was done on reasonably fast
hardware. If you do it on a linux running in a bochs
emulator, e.g., the security may be a bit worse ;-)

The passphrase and the iterations are needed to derive the key 
that unlocks the master key. This means the delay feature is 
a cryptographic feature of the key-derivation mechanism and 
cannot be bypassed by anyone. It is not just a static delay,
it is a computation that has to be done since its result is 
needed.

What the OS can do, if it is corrupt, is to just store 
the key somewhere when you unlock your crypto-container. 
This requires an attacker to have access to your OS two 
times and yoy to open the container in between. It has 
recently gotten some limited fame as an "Evil Maid Attack".
However an easier attack installs a keyboard sniffer or a 
physical bug into your computer.

Arno

----

Reference for LUKS:
http://cryptsetup.googlecode.com/svn-history/r42/wiki/LUKS-standard/on-disk-format.pdf

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] Crack a dm-LUKS partition or harddisk

[Si St]

Thanks for excellent help from Heinz Diehl, Eschenberg and Wagner here so far. Keywords for me have become: --iter-time and LUKS partition header. -

I have not read the article related to below so my question is independent from that one.

As to password entropy I use password like this as to length and characters and arrangement thereof:

-,Brpvz#aU1067+/

formed from a passphrase. 

For my wireless router I double the character count to 32.

By the way: Is there a way to reasonably fast check out the entropy of a chosen password or phrase? Is there a program maybe, or would I just have to calculate it there and then?

------------------------------------------------------------



> ----- Original Message -----
> From: "Arno Wagner" <arno@wagner.name>
> To: dm-crypt@saout.de
> Subject: Re: [dm-crypt] Crack a dm-LUKS partition or harddisk
> Date: Wed, 4 Nov 2009 23:29:53 +0100
> 
> 
> On Wed, Nov 04, 2009 at 05:51:59PM +0100, Si St wrote:
> > Question:
> >
> > Say we have a dm/LUKS encrypted partition or harddisk. - Do we have a
> > crack-password-delay-mechanism as a part of the encryption, or is this a
> > feature of the software of the OS?
> >
> > I have understood that with the very rapid crackingspeed (brute-force)
> > we have nowadays, the new approach to this is to force in a delay for each
> > password enter, as a tool of increased security. Is this feature a block
> > independent software, or is it only a software program of the booted OS?
> >
> > If so, attacking the harddisk directly independent of the booted OS will
> > pass this feature.
> >
> 
> I guess this is in response to a recent slashdot article pointing
> to some people that have cracked a PGP encrupted zip file using
> Amazon EC2.
> 
> Forst, this is only relevant if you have low entropy in your
> passphrase. An exapmple would ba an [a-z] 8 char passphrase, which
> has (if it is random) about 37.6 bits of entropy. This is of course
> far less than a 128 bit or 256 bit key and in a brute force attack
> it may be beneficial to run though all possible passphrases instead of
> through all possible keys.
> 
> LUKS uses PBKDF2, which is specifically designed to be resilient
> in case such low-entropy passwords are used. The hash is SHA-1
> (the recent discoverd weaknesses do not matter for this application)
> and it determined by a benchmark system, which basically benchmarks
> PBKDF2 and then uses the number of iterations that give a specific
> checking time. As fas as I can tell, the LUKS spec does not give a
> default.
> 
> cryptsetup 1.0.6 (the version in Debian Stable) seems to use
> a default value of 1 sec (line 28 in src/cryptsetup.c:
> static int opt_iteration_time = 1000;).
> 
> Incidentially this gives a cost > 10 Billion USD for
> Amazon EC2 if the key setup was done on reasonably fast
> hardware. If you do it on a linux running in a bochs
> emulator, e.g., the security may be a bit worse ;-)
> 
> The passphrase and the iterations are needed to derive the key
> that unlocks the master key. This means the delay feature is
> a cryptographic feature of the key-derivation mechanism and
> cannot be bypassed by anyone. It is not just a static delay,
> it is a computation that has to be done since its result is
> needed.
> 
> What the OS can do, if it is corrupt, is to just store
> the key somewhere when you unlock your crypto-container.
> This requires an attacker to have access to your OS two
> times and yoy to open the container in between. It has
> recently gotten some limited fame as an "Evil Maid Attack".
> However an easier attack installs a keyboard sniffer or a
> physical bug into your computer.
> 
> Arno
> 
> ----
> 
> Reference for LUKS:
> http://cryptsetup.googlecode.com/svn-history/r42/wiki/LUKS-standard/on-disk-format.pdf
> 
> --
> Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name
> GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
> ----
> Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
> 
> If it's in the news, don't worry about it.  The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

>


-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com

Powered by Outblaze

Re: [dm-crypt] Crack a dm-LUKS partition or harddisk

[Heinz Diehl]

On 05.11.2009, Si St wrote: 

> By the way: Is there a way to reasonably fast check out the entropy of a chosen password or phrase?

You can calculate the strength of your passphrase using this formula:    

 bits = (n * log q) / log 2

Where "n" is the lenght of your passphrase (how many characters) and "q"
is the amount of available characters.

Re: [dm-crypt] Crack a dm-LUKS partition or harddisk

[Si St]

Danke Schön, Heinz Diehl, and in the meantime I have found and may use:

http://rumkin.com/tools/password/passchk.php

if it is trustworthy. Number of characters,entropy and characterset comes out here.

---------------------------------------------------------



> ----- Original Message -----
> From: "Heinz Diehl" <htd@fancy-poultry.org>
> To: dm-crypt@saout.de
> Subject: Re: [dm-crypt] Crack a dm-LUKS partition or harddisk
> Date: Thu, 5 Nov 2009 22:34:44 +0100
> 
> 
> On 05.11.2009, Si St wrote:
> 
> > By the way: Is there a way to reasonably fast check out the 
> > entropy of a chosen password or phrase?
> 
> You can calculate the strength of your passphrase using this formula:
> 
>   bits = (n * log q) / log 2
> 
> Where "n" is the lenght of your passphrase (how many characters) and "q"
> is the amount of available characters.
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

>


-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com

Powered by Outblaze

Re: [dm-crypt] Crack a dm-LUKS partition or harddisk

[Heinz Diehl]

On 05.11.2009, Si St wrote: 

> For my wireless router I double the character count to 32.

You can safely use up to 63 characters. To set up wireless AP, I use this
little script I hacked together quite some time ago, it works very well. 

It generates passwords in the correct character range for wireless AP
using /dev/random. Save this in a file, do a "chmod +x " on it, and run 
it with the desired length as argument. In case it is a large passphrase
you want to generate, you'll have to move the mouse a bit.


#!/usr/bin/perl -Tw

use strict;

my $randkey;
my $iter;
my $howmany;

$howmany = $ARGV[0];

$randkey = &gen_randkey;

if ($randkey) { 
   print "Passphrase: $randkey\n"; }
else { 
   print "Something went wrong\n"; 
}

sub gen_randkey {

  my $keylength = $howmany;
  my $len = shift; $len = $keylength unless $len; 
  my @range; @range = (33..126);
  my $id = &read_dev_random($len);
  
  return unless $id;

  $id =~ s/(.)/chr($range[ord($1) % $#range+1])/esg;
  return $id;
}

sub read_dev_random {
	                     	
  my $len = shift;
  unless ($len) { print STDERR "No parameter given\n"; return; }
            	
  eval {
  open(RANDOM, "/dev/random") or die; };
  if ($@) { print STDERR "Unable to open the random device\n"; return; }
	    
  my $random;
  unless (read(RANDOM, $random, $len) == $len) { 
  print STDERR "Unable to read from the random device\n"; return;
  }
	    
	close(RANDOM);
	return $random;
}

Re: [dm-crypt] Crack a dm-LUKS partition or harddisk

[Heinz Diehl]

On 05.11.2009, Si St wrote: 

> Danke Schön

Vær så god, det var da så lite. Gerne geschehen!

> http://rumkin.com/tools/password/passchk.php
> if it is trustworthy. Number of characters,entropy and characterset comes out here.

No matter what you enter here, the entropy of this phrase will always be
1, because you did provide it to the maintainers of this site, and maybe
to the whole world.

Re: [dm-crypt] Crack a dm-LUKS partition or harddisk

[Luca Berra]

On Thu, Nov 05, 2009 at 11:08:13PM +0100, Heinz Diehl wrote:
>On 05.11.2009, Si St wrote: 
>
>> Danke Schön
>
>Vær så god, det var da så lite. Gerne geschehen!
>
>> http://rumkin.com/tools/password/passchk.php
>> if it is trustworthy. Number of characters,entropy and characterset comes out here.
>
>No matter what you enter here, the entropy of this phrase will always be
>1, because you did provide it to the maintainers of this site, and maybe
>to the whole world.

Actually the site contains a js app that does calculations locally, i
did not yet audit the code (on my long todo list), so no password should
ever be sent on the wire.

L.
-- 
Luca Berra -- bluca@comedia.it
         Communication Media & Services S.r.l.
  /"\
  \ /     ASCII RIBBON CAMPAIGN
   X        AGAINST HTML MAIL
  / \

Re: [dm-crypt] Crack a dm-LUKS partition or harddisk

[Heinz Diehl]

On 06.11.2009, Luca Berra wrote: 

> Actually the site contains a js app that does calculations locally, i
> did not yet audit the code (on my long todo list), so no password should
> ever be sent on the wire.

Yes, you're right, I overlooked this.

Anyway, the calculation is such easy that it's simply not worth to use a
specially crafted program for that.

Re: [dm-crypt] Crack a dm-LUKS partition or harddisk

[Si St]

Okay. I had my thoughts of a http:// site,and you are all right in warning me about testing out passwords across or along the net even if it is a js apps locally. (Thanks also to "Luca Berra" bluca@comedia.it.) I guess this means that the test is supposed to run only on my computer(?)

Thanks for a nice perl script, Heinz Diehl! 
I noticed long ago that config the wireless part with YaST on my SuSE 10.0/1 YaST would not accept this sign: ' (accent aigue) as part of passphrase, for one or another reason, but Windows did and so the router. Could be an old bug.

I have cryptoloop on SuSE 10.1, but dm-crypt/LUKS on openSuSE 11.1 and on SLED 10 SP3.

A question that is a little bit off dm-crypt subjects: Is the security problems as to e.g. watermarks also affecting gnuPG? Well, I would think so if the ECB is used, and maybe as long as there is need for som IVector due to CBC. But has gnuPG completely different problems? I am not asking about symmetric or public keys, but more about the final encrypted result placed there on disk. - Maybe I should ask about this on this list.

I am a doctor and transfers daily info of thousands of patients every day on a USB-stick. Before I used to plaintextcopy them all to the stick, but now I always encrypts it as a tar-file with gpg. I transfer the journals from my office machine to home machines, just in case the office breaks down and I can just replace the machine. On the home machines I transfer the data to an encrypted partition with a script in bash that decrypts and mounts the partition, decrypts the tar-ball and empties the whole tree to its proper place, check the content to be the same and finally closes the loop or devicemapper (not to be forgotten!) and after that umounts the partition. Thereby I feel safe to go on internet. The office machine is an old SuSE 7.3 !! with hardware from the year of the Lord 2001. But this machine is NOT configured to internet - it is only a stand alone machine. I have a partition with SLED 10 on it, but it is very rare I ever am on net. The cable to the isdn card is detached all the time. Was sagst du über diese Sache, mein lieber Heinz? Stubborness and remnant Newbie, maybe.

Just to let you know that there is not only people with dm-itch or dm-tic on this site;

-------------------------------------------------------
> ----- Original Message -----
> From: "Heinz Diehl" <htd@fancy-poultry.org>
> To: dm-crypt@saout.de
> Subject: Re: [dm-crypt] Crack a dm-LUKS partition or harddisk
> Date: Thu, 5 Nov 2009 23:03:25 +0100
> 
> 
> On 05.11.2009, Si St wrote:
> 
> > For my wireless router I double the character count to 32.
> 
> You can safely use up to 63 characters. To set up wireless AP, I use this
> little script I hacked together quite some time ago, it works very well.
> 
> It generates passwords in the correct character range for wireless AP
> using /dev/random. Save this in a file, do a "chmod +x " on it, and run
> it with the desired length as argument. In case it is a large passphrase
> you want to generate, you'll have to move the mouse a bit.
> 
> 
> #!/usr/bin/perl -Tw
> 
> use strict;
> 
> my $randkey;
> my $iter;
> my $howmany;
> 
> $howmany = $ARGV[0];
> 
> $randkey = &gen_randkey;
> 
> if ($randkey) {
>     print "Passphrase: $randkey\n"; }
> else {
>     print "Something went wrong\n";
> }
> 
> sub gen_randkey {
> 
>    my $keylength = $howmany;
>    my $len = shift; $len = $keylength unless $len;
>    my @range; @range = (33..126);
>    my $id = &read_dev_random($len);
> 
>    return unless $id;
> 
>    $id =~ s/(.)/chr($range[ord($1) % $#range+1])/esg;
>    return $id;
> }
> 
> sub read_dev_random {
> 	                     	
>    my $len = shift;
>    unless ($len) { print STDERR "No parameter given\n"; return; }
>              	
>    eval {
>    open(RANDOM, "/dev/random") or die; };
>    if ($@) { print STDERR "Unable to open the random device\n"; return; }
> 	
>    my $random;
>    unless (read(RANDOM, $random, $len) == $len) {
>    print STDERR "Unable to read from the random device\n"; return;
>    }
> 	
> 	close(RANDOM);
> 	return $random;
> }
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

>


-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com

Powered by Outblaze

Re: [dm-crypt] Crack a dm-LUKS partition or harddisk

[Heinz Diehl]

On 06.11.2009, Si St wrote: 

> Is the security problems as to e.g. watermarks also affecting gnuPG? Well, I would think so if the ECB is used

GnuPG uses CFB mode of operation (as defined in the OpenPGP standard),
it's a streaming version of CBC and is therefore not vulnerable to
watermarking. Please folks, correct me if I'm wrong.

> I am a doctor and transfers daily info of thousands of patients every day on a USB-stick. 
> Before I used to plaintextcopy them all to the stick, but now I always encrypts it as a tar-file with gpg. 
> I transfer the journals from my office machine to home machines....

In my opinion, you're better off using LUKS/dmcrypt on the USB-stick. In
addition, the whole system should be encrypted as well, to handle leaking
of the passphrase/key.

> The office machine is an old SuSE 7.3 !! with hardware from the year of the Lord 2001.
> But this machine is NOT configured to internet - it is only a stand alone machine.

This machine needs to be updated. A whole lot of things changed since 2001.

> Was sagst du über diese Sache, mein lieber Heinz? Stubborness and remnant Newbie, maybe.
 
I would update / replace the old machine with a new one, install some
recent Linux distribution on it, with encrypted filesystems (incl.
root/swap), and prepare the USB stick with a LUKS/dmcrypt formatted
partition. Newer Linux kernels also provide a bunch of modes of operation
which are not vulnerable to watermarking (XTS...).

Alternatively, you could use an SSH tunnel using autorization via RSA-key 
from/to your home/workingplace machine and drop carrying sensitive data on your memory stick.

Re: [dm-crypt] Crack a dm-LUKS partition or harddisk

[Arno Wagner]

On Fri, Nov 06, 2009 at 07:27:57PM +0100, Heinz Diehl wrote:
> On 06.11.2009, Si St wrote: 
> 
> > Is the security problems as to e.g. watermarks also affecting gnuPG?
> > Well, I would think so if the ECB is used
> 
> GnuPG uses CFB mode of operation (as defined in the OpenPGP standard),
> it's a streaming version of CBC and is therefore not vulnerable to
> watermarking. Please folks, correct me if I'm wrong.

AFAIK you are not wrong. Watrermarking vulnerabilities seem to
mostly afftect short, not chained cipher blocks, as in sector
level disk encryption.

> > I am a doctor and transfers daily info of thousands of patients every
> > day on a USB-stick.  Before I used to plaintextcopy them all to the
> > stick, but now I always encrypts it as a tar-file with gpg.  I transfer
> > the journals from my office machine to home machines....
> 
> In my opinion, you're better off using LUKS/dmcrypt on the USB-stick. In
> addition, the whole system should be encrypted as well, to handle leaking
> of the passphrase/key.

As long as you do the encryption on the source machine and the decryption
on the target machine and the stick only ever has the gpg-encrypted
file on it, I see nothing wring at all with the procedure. And it is
significantly easier to set-up (stick-agnostic, as long as it has a
gfilesystem).

 > > The office machine is an old SuSE 7.3 !! with hardware from the year of
> > the Lord 2001. But this machine is NOT configured to internet - it is
> > only a stand alone machine.

This machine is fine, if you do not connect it to the Internet.
Never change a working system. You should hovever use a current
version of gpg. 

Arno


> This machine needs to be updated. A whole lot of things changed since 2001.
> 
> > Was sagst du ?ber diese Sache, mein lieber Heinz? Stubborness and
> > remnant Newbie, maybe.
>  
> I would update / replace the old machine with a new one, install some
> recent Linux distribution on it, with encrypted filesystems (incl.
> root/swap), and prepare the USB stick with a LUKS/dmcrypt formatted
> partition. Newer Linux kernels also provide a bunch of modes of operation
> which are not vulnerable to watermarking (XTS...).
> 
> Alternatively, you could use an SSH tunnel using autorization via RSA-key
> from/to your home/workingplace machine and drop carrying sensitive data on
> your memory stick.
> 

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier