From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Purpose of mkDigest field in LUKS header
Date: Tue, 28 Jan 2014 21:15:14 +0100 [thread overview]
Message-ID: <20140128201514.GA3175@tansi.org> (raw)
In-Reply-To: <CACMEwJJQ=UDaPuO1wg0yJP7HjHBDeV0OmZrhLQTZ0rmBSw5LOg@mail.gmail.com>
On Tue, Jan 28, 2014 at 18:35:19 CET, Carlo Contavalli wrote:
> Hello,
>
> I was looking into the LUKS implementation for a crypto related project.
>
> The field mkDigest in the LUKS header contains a PKDBF2 hash of the
> volume key, which I believe is indirectly used to verify the user
> passphrase.
> Eg, if mkDigest on disk does not match PBKDF2 of volume key decrypted
> with user passphrase, user passphrase is likely wrong.
>
> Correct? Is there any other purpose to it?
>
> Reason I'm asking: assuming that's the case, at passphrase insertion
> time there are at least 2 PBKDF2 that need to be computed - one to
> derive a key from the passphrase entered by the user, one to verify
> that the volume key is correct. Both eat time and CPU.
>
> If I was an attacker, though, I would not bother checking mkDigest at
> all. I would probably just try the guessed key to decrypt a disk
> block, and check for an ext4 or file system header, which I believe
> would be trivial to do (cost of decrypting a block for each attempted
> key, and look for common signatures).
>
> So.. is that PBKDF2 necessary? could we replace it by, for example,
> storing an encrypted one way hash of the volume key?
>
> Eg, compute volume key, use it to decrypt a small chunk of data,
> verify that the encrypted hash matches hash of volume key, without
> iterations or time/cpu complexity.
>
> My guess is that this would not significantly reduce the security of
> something like LUKS and/or increase the attack surface.
>
> Am I wrong? Did I miss anything I should be aware of?
Yes. There is no reliable way to detect "decrypted" data. It
is fundamentally impossible to do.
Also, the master key protected just by a simple has would
be open to any "reversing" attack on the hash. But if you
look at the actual parameters, you see that the PBKDF2 iteration
count for the master key is much smaller than for keyslots.
That is because it ie ensured to have high entropy. So it
really does not matter much in the volume opening time.
The second thing you missed is that this would break the LUKS
header format, not a thing to do lightly and just for performance.
Arno
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. - Plato
next prev parent reply other threads:[~2014-01-28 20:15 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-28 17:35 [dm-crypt] Purpose of mkDigest field in LUKS header Carlo Contavalli
2014-01-28 20:15 ` Arno Wagner [this message]
2014-01-29 0:28 ` Carlo Contavalli
2014-01-29 1:53 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140128201514.GA3175@tansi.org \
--to=arno@wagner.name \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.