From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ks3095616.kimsufi.com (ks3095616.kimsufi.com [91.121.198.79]) by mail.server123.net (Postfix) with ESMTP for ; Fri, 6 Feb 2015 15:10:39 +0100 (CET) Date: Fri, 6 Feb 2015 15:01:40 +0100 Message-ID: <20150206140140.GA16920@dashborg.com> References: <54D21872.2030406@yahoo.com> <20150205115435.GA4093@tansi.org> <20150205235135.GA21304@tansi.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150205235135.GA21304@tansi.org> From: dennis@basis.uklinux.net Subject: Re: [dm-crypt] plain: opening with a wrong password List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On Fri, Feb 06, 2015 at 12:51:35AM +0100, Arno Wagner wrote: > If your passphrase is weak enough that a dictionary > attack has a reasonable success of working (and a dictionary > attack is the only thing the salt that hashalot adds helps > against), then you are pretty deep in insecure territory and > _need_ the hash iteration that LUKS provides, but which is > missing from both plain and hashalot. > >... > > Please do not spread unsubstantiated rumors. It is hard enough > these days for non-experts to decide what crypto to trust > and what not. Rumors of the kind "metadata headers offer > attack vectors" make this even worse. Count me among the non-experts. I have two questions. (a) Wouldn't metadata headers incur a loss of plausible deniablity compared to plain mode, especially when an encrypted filesystem image is stored as a single file on backup media or in the backing file for a loopback device? (b) Assuming a secure passphrase, wouldn't plain mode be more secure than luks against possible vulnerabilities in the hashing algorithm that may be discovered in the future?