* [dm-crypt] plain: opening with a wrong password @ 2015-02-04 12:33 U.Mutlu 2015-02-04 13:02 ` Quentin Lefebvre 0 siblings, 1 reply; 24+ messages in thread From: U.Mutlu @ 2015-02-04 12:33 UTC (permalink / raw) To: dm-crypt Hi, what happens if an encrypted filesystem (plain, no LUKS) next time is opened accidently with a wrong password, and new data written to it? Will the filesystem then become damaged/unusable? I didn't try this out, but I know the create/open command accepts any password for an already existing encrypted filesystem since no metadata is stored with such a "plain" volume, right? ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-04 12:33 [dm-crypt] plain: opening with a wrong password U.Mutlu @ 2015-02-04 13:02 ` Quentin Lefebvre 2015-02-04 13:30 ` U.Mutlu 0 siblings, 1 reply; 24+ messages in thread From: Quentin Lefebvre @ 2015-02-04 13:02 UTC (permalink / raw) To: U.Mutlu, dm-crypt Hi, Le 04/02/2015 13:33, U.Mutlu a écrit : > Hi, > what happens if an encrypted filesystem (plain, no LUKS) > next time is opened accidently with a wrong password, > and new data written to it? Will the filesystem then become > damaged/unusable? What typically happens when you use a wrong password is that the cryptsetup create/open command is indeed successful, but mounting your partition will fail (because the filesystem is not detected). So you have few chance to accidentally damage a filesystem, even in plain mode. > I didn't try this out, but I know the create/open command accepts > any password for an already existing encrypted filesystem > since no metadata is stored with such a "plain" volume, right? Right, but this does not mean that data will look meaningful. Best, Quentin ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-04 13:02 ` Quentin Lefebvre @ 2015-02-04 13:30 ` U.Mutlu 2015-02-05 11:54 ` Arno Wagner 0 siblings, 1 reply; 24+ messages in thread From: U.Mutlu @ 2015-02-04 13:30 UTC (permalink / raw) To: dm-crypt Quentin Lefebvre wrote, On 02/04/2015 02:02 PM: > Hi, > > Le 04/02/2015 13:33, U.Mutlu a écrit : >> Hi, >> what happens if an encrypted filesystem (plain, no LUKS) >> next time is opened accidently with a wrong password, >> and new data written to it? Will the filesystem then become >> damaged/unusable? > > What typically happens when you use a wrong password is that the cryptsetup > create/open command is indeed successful, but mounting your partition will > fail (because the filesystem is not detected). > So you have few chance to accidentally damage a filesystem, even in plain mode. I tried this out now, and indeed that's cool! Thank you for this useful tip, it spares me to study further also the LUKS stuff, as plain is IMHO sufficient for my needs. The main drawback with plain seems to be that one cannot change the password, instead one needs to re-enrcrypt into a new file/device. cu Uenal ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-04 13:30 ` U.Mutlu @ 2015-02-05 11:54 ` Arno Wagner 2015-02-05 13:53 ` U.Mutlu 0 siblings, 1 reply; 24+ messages in thread From: Arno Wagner @ 2015-02-05 11:54 UTC (permalink / raw) To: dm-crypt On Wed, Feb 04, 2015 at 14:30:17 CET, U.Mutlu wrote: > Quentin Lefebvre wrote, On 02/04/2015 02:02 PM: > >Hi, > > > >Le 04/02/2015 13:33, U.Mutlu a écrit : > >>Hi, > >>what happens if an encrypted filesystem (plain, no LUKS) > >>next time is opened accidently with a wrong password, > >>and new data written to it? Will the filesystem then become > >>damaged/unusable? > > > >What typically happens when you use a wrong password is that the > >cryptsetup create/open command is indeed successful, but mounting your > >partition will fail (because the filesystem is not detected). So you > >have few chance to accidentally damage a filesystem, even in plain > > mode. > > I tried this out now, and indeed that's cool! > Thank you for this useful tip, it spares me to study further > also the LUKS stuff, as plain is IMHO sufficient for my needs. > The main drawback with plain seems to be that one cannot change > the password, instead one needs to re-enrcrypt into a new file/device. That, you have only one password, and you do not get some additional protection for weak passwords from salting and iteration. With a good, passphease plain is about as secure as LUKS, namely not breakable. (See FAQ item 5.1 for details of what "good" means.) Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-05 11:54 ` Arno Wagner @ 2015-02-05 13:53 ` U.Mutlu 2015-02-05 14:04 ` U.Mutlu 0 siblings, 1 reply; 24+ messages in thread From: U.Mutlu @ 2015-02-05 13:53 UTC (permalink / raw) To: dm-crypt Arno Wagner wrote, On 02/05/2015 12:54 PM: > On Wed, Feb 04, 2015 at 14:30:17 CET, U.Mutlu wrote: >> Quentin Lefebvre wrote, On 02/04/2015 02:02 PM: >>> Hi, >>> >>> Le 04/02/2015 13:33, U.Mutlu a écrit : >>>> Hi, >>>> what happens if an encrypted filesystem (plain, no LUKS) >>>> next time is opened accidently with a wrong password, >>>> and new data written to it? Will the filesystem then become >>>> damaged/unusable? >>> >>> What typically happens when you use a wrong password is that the >>> cryptsetup create/open command is indeed successful, but mounting your >>> partition will fail (because the filesystem is not detected). So you >>> have few chance to accidentally damage a filesystem, even in plain >>> mode. >> >> I tried this out now, and indeed that's cool! >> Thank you for this useful tip, it spares me to study further >> also the LUKS stuff, as plain is IMHO sufficient for my needs. >> The main drawback with plain seems to be that one cannot change >> the password, instead one needs to re-enrcrypt into a new file/device. > > That, you have only one password, and you do not get some > additional protection for weak passwords from salting and > iteration. With a good, passphease plain is about as secure > as LUKS, namely not breakable. (See FAQ item 5.1 for details > of what "good" means.) > > Arno Yes, and one better should create a password by using a password hasher like the following: $ echo mypassword | hashalot -x -s mysalt sha256 5d9de7f56a469782ff8a6be363418f62d6f93e33c3adb5c216e7e9c2f9947240 and pass the result to the target (of course using something else for "mypassword" and "mysalt"). cu Uenal ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-05 13:53 ` U.Mutlu @ 2015-02-05 14:04 ` U.Mutlu 2015-02-05 23:51 ` Arno Wagner 0 siblings, 1 reply; 24+ messages in thread From: U.Mutlu @ 2015-02-05 14:04 UTC (permalink / raw) To: dm-crypt U.Mutlu wrote, On 02/05/2015 02:53 PM: > Arno Wagner wrote, On 02/05/2015 12:54 PM: >> On Wed, Feb 04, 2015 at 14:30:17 CET, U.Mutlu wrote: >>> Quentin Lefebvre wrote, On 02/04/2015 02:02 PM: >>>> Hi, >>>> >>>> Le 04/02/2015 13:33, U.Mutlu a écrit : >>>>> Hi, >>>>> what happens if an encrypted filesystem (plain, no LUKS) >>>>> next time is opened accidently with a wrong password, >>>>> and new data written to it? Will the filesystem then become >>>>> damaged/unusable? >>>> >>>> What typically happens when you use a wrong password is that the >>>> cryptsetup create/open command is indeed successful, but mounting your >>>> partition will fail (because the filesystem is not detected). So you >>>> have few chance to accidentally damage a filesystem, even in plain >>>> mode. >>> >>> I tried this out now, and indeed that's cool! >>> Thank you for this useful tip, it spares me to study further >>> also the LUKS stuff, as plain is IMHO sufficient for my needs. >>> The main drawback with plain seems to be that one cannot change >>> the password, instead one needs to re-enrcrypt into a new file/device. >> >> That, you have only one password, and you do not get some >> additional protection for weak passwords from salting and >> iteration. With a good, passphease plain is about as secure >> as LUKS, namely not breakable. (See FAQ item 5.1 for details >> of what "good" means.) >> >> Arno > > Yes, and one better should create a password by using a password hasher like > the following: > $ echo mypassword | hashalot -x -s mysalt sha256 > 5d9de7f56a469782ff8a6be363418f62d6f93e33c3adb5c216e7e9c2f9947240 > and pass the result to the target (of course using something else for > "mypassword" and "mysalt"). Oh, I forgot to mention: with such a strong password "plain" is IMHO more secure than "luks" b/c plain offers no attack vectors (ie. metadata headers). cu Uenal ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-05 14:04 ` U.Mutlu @ 2015-02-05 23:51 ` Arno Wagner 2015-02-06 14:01 ` dennis 2015-02-06 14:04 ` U.Mutlu 0 siblings, 2 replies; 24+ messages in thread From: Arno Wagner @ 2015-02-05 23:51 UTC (permalink / raw) To: dm-crypt On Thu, Feb 05, 2015 at 15:04:39 CET, U.Mutlu wrote: > U.Mutlu wrote, On 02/05/2015 02:53 PM: > >Arno Wagner wrote, On 02/05/2015 12:54 PM: > >>On Wed, Feb 04, 2015 at 14:30:17 CET, U.Mutlu wrote: > >>>Quentin Lefebvre wrote, On 02/04/2015 02:02 PM: > >>>>Hi, > >>>> > >>>>Le 04/02/2015 13:33, U.Mutlu a écrit : > >>>>>Hi, > >>>>>what happens if an encrypted filesystem (plain, no LUKS) > >>>>>next time is opened accidently with a wrong password, > >>>>>and new data written to it? Will the filesystem then become > >>>>>damaged/unusable? > >>>> > >>>>What typically happens when you use a wrong password is that the > >>>>cryptsetup create/open command is indeed successful, but mounting your > >>>>partition will fail (because the filesystem is not detected). So you > >>>>have few chance to accidentally damage a filesystem, even in plain > >>>>mode. > >>> > >>>I tried this out now, and indeed that's cool! > >>>Thank you for this useful tip, it spares me to study further > >>>also the LUKS stuff, as plain is IMHO sufficient for my needs. > >>>The main drawback with plain seems to be that one cannot change > >>>the password, instead one needs to re-enrcrypt into a new file/device. > >> > >>That, you have only one password, and you do not get some > >>additional protection for weak passwords from salting and > >>iteration. With a good, passphease plain is about as secure > >>as LUKS, namely not breakable. (See FAQ item 5.1 for details > >>of what "good" means.) > >> > >>Arno > > > >Yes, and one better should create a password by using a password hasher like > >the following: > >$ echo mypassword | hashalot -x -s mysalt sha256 > >5d9de7f56a469782ff8a6be363418f62d6f93e33c3adb5c216e7e9c2f9947240 > >and pass the result to the target (of course using something else for > >"mypassword" and "mysalt"). > > Oh, I forgot to mention: with such a strong password > "plain" is IMHO more secure than "luks" b/c plain offers > no attack vectors (ie. metadata headers). Actually, it is not. I do disagree on the hashalot approach as well. If your passphrase is weak enough that a dictionary attack has a reasonable success of working (and a dictionary attack is the only thing the salt that hashalot adds helps against), then you are pretty deep in insecure territory and _need_ the hash iteration that LUKS provides, but which is missing from both plain and hashalot. Aso, you can simulate a salt directly with plain as follows: Just give your passphrase and append the known salt. That is about as secure as the more complicated approach with hashalot. The other thing is that the LUKS metadata-headers do not make attacks any easier. They do _not_ provide "attack vectors". Salts are per definition not secret. If you make the salt secret, you are doing it wrong. Instead append the secret to the passphrase and add a non-secret salt. The only other thing an attacker gets is the iteration count. That one does not add a lot of protection if unknown (after all, the iteration time is known and likely also the CPU it was done on), but its needed for deriving the key in legitimate unlocks. Please do not spread unsubstantiated rumors. It is hard enough these days for non-experts to decide what crypto to trust and what not. Rumors of the kind "metadata headers offer attack vectors" make this even worse. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-05 23:51 ` Arno Wagner @ 2015-02-06 14:01 ` dennis 2015-02-06 14:19 ` Michael 2015-02-06 18:27 ` Arno Wagner 2015-02-06 14:04 ` U.Mutlu 1 sibling, 2 replies; 24+ messages in thread From: dennis @ 2015-02-06 14:01 UTC (permalink / raw) To: dm-crypt On Fri, Feb 06, 2015 at 12:51:35AM +0100, Arno Wagner wrote: > If your passphrase is weak enough that a dictionary > attack has a reasonable success of working (and a dictionary > attack is the only thing the salt that hashalot adds helps > against), then you are pretty deep in insecure territory and > _need_ the hash iteration that LUKS provides, but which is > missing from both plain and hashalot. > >... > > Please do not spread unsubstantiated rumors. It is hard enough > these days for non-experts to decide what crypto to trust > and what not. Rumors of the kind "metadata headers offer > attack vectors" make this even worse. Count me among the non-experts. I have two questions. (a) Wouldn't metadata headers incur a loss of plausible deniablity compared to plain mode, especially when an encrypted filesystem image is stored as a single file on backup media or in the backing file for a loopback device? (b) Assuming a secure passphrase, wouldn't plain mode be more secure than luks against possible vulnerabilities in the hashing algorithm that may be discovered in the future? ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-06 14:01 ` dennis @ 2015-02-06 14:19 ` Michael 2015-02-06 14:47 ` U.Mutlu 2015-02-06 18:27 ` Arno Wagner 1 sibling, 1 reply; 24+ messages in thread From: Michael @ 2015-02-06 14:19 UTC (permalink / raw) To: dm-crypt [-- Attachment #1: Type: text/plain, Size: 1542 bytes --] If you are concerned about the header, you could use Luks with a detached header. This way you have the advantages of Luks and you can store the header separate from the encrypted container. Quoting dennis@basis.uklinux.net: > On Fri, Feb 06, 2015 at 12:51:35AM +0100, Arno Wagner wrote: >> If your passphrase is weak enough that a dictionary >> attack has a reasonable success of working (and a dictionary >> attack is the only thing the salt that hashalot adds helps >> against), then you are pretty deep in insecure territory and >> _need_ the hash iteration that LUKS provides, but which is >> missing from both plain and hashalot. >> >> ... >> >> Please do not spread unsubstantiated rumors. It is hard enough >> these days for non-experts to decide what crypto to trust >> and what not. Rumors of the kind "metadata headers offer >> attack vectors" make this even worse. > > Count me among the non-experts. I have two questions. (a) Wouldn't > metadata headers incur a loss of plausible deniablity compared to > plain mode, especially when an encrypted filesystem image is stored as > a single file on backup media or in the backing file for a loopback > device? (b) Assuming a secure passphrase, wouldn't plain mode be more > secure than luks against possible vulnerabilities in the hashing > algorithm that may be discovered in the future? > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Regards, Michael https://skrilnetz.net [-- Attachment #2: PGP Public Key --] [-- Type: application/pgp-keys, Size: 1718 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-06 14:19 ` Michael @ 2015-02-06 14:47 ` U.Mutlu 0 siblings, 0 replies; 24+ messages in thread From: U.Mutlu @ 2015-02-06 14:47 UTC (permalink / raw) To: dm-crypt Michael wrote, On 02/06/2015 03:19 PM: > If you are concerned about the header, you could use Luks with a detached > header. This way you have the advantages of Luks and you can store the header > separate from the encrypted container. Beware: there are some warnings in the documentation @ https://code.google.com/p/cryptsetup/wiki/Cryptsetup140 " WARNING: There is no possible check that specified ciphertext device matches detached on-disk header. Use with care, it can destroy your data in case of a mistake. WARNING: Storing LUKS header in a file means that anti-forensic splitter cannot properly work (there is filesystem allocation layer between header and disk)." cu Uenal > Quoting dennis@basis.uklinux.net: > >> On Fri, Feb 06, 2015 at 12:51:35AM +0100, Arno Wagner wrote: >>> If your passphrase is weak enough that a dictionary >>> attack has a reasonable success of working (and a dictionary >>> attack is the only thing the salt that hashalot adds helps >>> against), then you are pretty deep in insecure territory and >>> _need_ the hash iteration that LUKS provides, but which is >>> missing from both plain and hashalot. >>> >>> ... >>> >>> Please do not spread unsubstantiated rumors. It is hard enough >>> these days for non-experts to decide what crypto to trust >>> and what not. Rumors of the kind "metadata headers offer >>> attack vectors" make this even worse. >> >> Count me among the non-experts. I have two questions. (a) Wouldn't >> metadata headers incur a loss of plausible deniablity compared to >> plain mode, especially when an encrypted filesystem image is stored as >> a single file on backup media or in the backing file for a loopback >> device? (b) Assuming a secure passphrase, wouldn't plain mode be more >> secure than luks against possible vulnerabilities in the hashing >> algorithm that may be discovered in the future? >> _______________________________________________ ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-06 14:01 ` dennis 2015-02-06 14:19 ` Michael @ 2015-02-06 18:27 ` Arno Wagner 2015-02-07 17:27 ` dennis 1 sibling, 1 reply; 24+ messages in thread From: Arno Wagner @ 2015-02-06 18:27 UTC (permalink / raw) To: dm-crypt On Fri, Feb 06, 2015 at 15:01:40 CET, dennis@basis.uklinux.net wrote: > On Fri, Feb 06, 2015 at 12:51:35AM +0100, Arno Wagner wrote: > > If your passphrase is weak enough that a dictionary > > attack has a reasonable success of working (and a dictionary > > attack is the only thing the salt that hashalot adds helps > > against), then you are pretty deep in insecure territory and > > _need_ the hash iteration that LUKS provides, but which is > > missing from both plain and hashalot. > > > >... > > > > Please do not spread unsubstantiated rumors. It is hard enough > > these days for non-experts to decide what crypto to trust > > and what not. Rumors of the kind "metadata headers offer > > attack vectors" make this even worse. > > Count me among the non-experts. I have two questions. (a) Wouldn't > metadata headers incur a loss of plausible deniablity compared to > plain mode, especially when an encrypted filesystem image is stored as > a single file on backup media or in the backing file for a loopback > device? In theory, yes, in practice no. See FAQ Item 5.18. Plausible deniability is a fantasy that does not hold up in reality. See also http://xkcd.com/538/. This really _is_ accurate. >(b) Assuming a secure passphrase, wouldn't plain mode be more > secure than luks against possible vulnerabilities in the hashing > algorithm that may be discovered in the future? No. First, plain mode also hashes. And second, basically all potential vulnerabilities of modern hash functions (collisions, reversing) do not apply to the use as pasword-hashing functions. You can hash passwords with MD5 and be perfectly secure, while MD5 is fully broken for things like signing. The only problem is a (very slow) convergence towards half the bits in iterated hashing, but PBKDF2 fixes that. Gr"usse, Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-06 18:27 ` Arno Wagner @ 2015-02-07 17:27 ` dennis 2015-02-07 18:03 ` Heinz Diehl 2015-02-08 2:59 ` Arno Wagner 0 siblings, 2 replies; 24+ messages in thread From: dennis @ 2015-02-07 17:27 UTC (permalink / raw) To: dm-crypt On Fri, Feb 06, 2015 at 07:27:29PM +0100, Arno Wagner wrote: > >(b) Assuming a secure passphrase, wouldn't plain mode be more > > secure than luks against possible vulnerabilities in the hashing > > algorithm that may be discovered in the future? > > No. First, plain mode also hashes. And second, basically all > potential vulnerabilities of modern hash functions (collisions, > reversing) do not apply to the use as pasword-hashing functions. > You can hash passwords with MD5 and be perfectly secure, while MD5 > is fully broken for things like signing. Thank you for answering my questions. I take your point about plausible deniability, but your remarks about hashing have raised further questions for me. I had been given to understand that passphrase hashing makes a dictionary attack more costly or time consuming by forcing the attacker to evaluate the hash function for each passphrase attempted, and I have just checked the FAQ for confirmation. It would seem to follow that a hash algorithm sufficiently prone to collisions would diminish security by not taking full advantage of the available key space, possibly to the point of making a well informed search of the key space more practical than a dictionary attack. In the degenerate case of a totally stupid hash algorithm that hashes every passphrase to exactly the same key, the attacker need only try that particular key and not even evaluate the hash function. In a less extreme case where the algorithm maps low entropy passphrases to some keys with higher probability than others, some of the attacker's work is done for him if he starts with the more probable keys. My conclusion would have been that if the passphrase is initially at least as secure as a random key, then hashing can never increase security but may decrease it. If this is a misconception, can you please correct it? ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-07 17:27 ` dennis @ 2015-02-07 18:03 ` Heinz Diehl 2015-02-07 23:16 ` Matthias Schniedermeyer 2015-02-08 3:07 ` Arno Wagner 2015-02-08 2:59 ` Arno Wagner 1 sibling, 2 replies; 24+ messages in thread From: Heinz Diehl @ 2015-02-07 18:03 UTC (permalink / raw) To: dm-crypt On 07.02.2015, dennis@basis.uklinux.net wrote: > My conclusion would have been that if the passphrase is > initially at least as secure as a random key, then hashing can never > increase security but may decrease it. You need something to compare the passphrase to, and that's the hash. How would you check the validity of the entered passphrase otherwise? A plain text comparison is obviously impossible. An example which at least partially covers the same item is password storing by netshops, e.g. those who send you the plaintext passphrase when providing your email after hitting "Forgotten password". A breach into this password database reveals all passwords in clear text. Therefore, passwords usually are stored as their hash, and the clear text is deleted right after the hashing. That are those netshops which will provide a reset link to you after hitting the "Forgotten password" button, because they only have the hash, which can't be re-translated into the clear text passphrase. It's not only a problem of "security", but feasibility. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-07 18:03 ` Heinz Diehl @ 2015-02-07 23:16 ` Matthias Schniedermeyer 2015-02-08 8:19 ` Heinz Diehl 2015-02-08 3:07 ` Arno Wagner 1 sibling, 1 reply; 24+ messages in thread From: Matthias Schniedermeyer @ 2015-02-07 23:16 UTC (permalink / raw) To: Heinz Diehl; +Cc: dm-crypt On 07.02.2015 19:03, Heinz Diehl wrote: > On 07.02.2015, dennis@basis.uklinux.net wrote: > > > My conclusion would have been that if the passphrase is > > initially at least as secure as a random key, then hashing can never > > increase security but may decrease it. > > You need something to compare the passphrase to, and that's the hash. > How would you check the validity of the entered passphrase otherwise? > A plain text comparison is obviously impossible. No. With Plain the password can't be verified, the dm-crypt device is setup and if the password was wrong, the "decrypted" device contains garbage. Containers usually have a means to test if the password is correct, plain does not. > An example which at least partially covers the same item is password storing by > netshops, e.g. those who send you the plaintext passphrase when providing your > email after hitting "Forgotten password". A breach into this password database > reveals all passwords in clear text. Therefore, passwords usually are stored as > their hash, and the clear text is deleted right after the hashing. That are > those netshops which will provide a reset link to you after hitting the > "Forgotten password" button, because they only have the hash, which can't be > re-translated into the clear text passphrase. Which is a totally different thing. Here the you tell the gatekeeper your secret password and the gatekeeper will let you through if you satiesfy the rules of the day. The rule usually is "I will let you through, if the hash of the password you provided me is the same one as the one i have on file". But the rules can be pretty much anything, up to "Anybody with any password" if the programmer had a bad day. IOW. The password itself doesn't protect anything, it's the (hopefully) debugged gatekeeper that does the protecting. So if you break the gatekeeper, you can circumvent the password without knowing it. Actually encrypting the data of the user with the password of the user, so you actually needed to password is "uncommon" AFAIK. Whereas in encryption the password itself (with or without hashing and/or decrypting the actual key) is directly used and can't be circumvented to get access to the data. It's somewhat like the PALs with an encrypted firing sequence, the PAL code itself is used in the firing sequence to correctly shape the nuclear material. With a wrong code the weapon will just mis-detonated and not reach criticallity and will hopefully be unusable afterwards. http://en.wikipedia.org/wiki/Permissive_Action_Link Before the encrypted firing sequence you could "just" remove the PAL and use your own detonation mechanism, as the code itself was nothing more like comparing the code to a stored hash and the gatekeeper was the thing that actually pressed the big red button. With an encrypted firing sequence that doesn't work, as you still need the parameters for the correct firing sequence, which hopefully can't be easily reverse engineered. -- Matthias ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-07 23:16 ` Matthias Schniedermeyer @ 2015-02-08 8:19 ` Heinz Diehl 2015-02-08 9:23 ` Arno Wagner 0 siblings, 1 reply; 24+ messages in thread From: Heinz Diehl @ 2015-02-08 8:19 UTC (permalink / raw) To: dm-crypt On 08.02.2015, Matthias Schniedermeyer wrote: > > You need something to compare the passphrase to, and that's the hash. > > How would you check the validity of the entered passphrase otherwise? > > A plain text comparison is obviously impossible. > With Plain the password can't be verified, the dm-crypt device is setup > and if the password was wrong, the "decrypted" device contains garbage. > Containers usually have a means to test if the password is correct, > plain does not. I tried to keep it simple in my example. Although you're (of course) right, I didn't write about "plain encryption" or "plain dmcrypt", but plain text comparison, in order to explain why there is the need for e.g. a hash. As you point out, with plain dmcrypt the only possibility is actually using the password and checking if the "decrypted" data based on it makes any sense. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-08 8:19 ` Heinz Diehl @ 2015-02-08 9:23 ` Arno Wagner 2015-02-08 9:55 ` Milan Broz 0 siblings, 1 reply; 24+ messages in thread From: Arno Wagner @ 2015-02-08 9:23 UTC (permalink / raw) To: dm-crypt On Sun, Feb 08, 2015 at 09:19:54 CET, Heinz Diehl wrote: > On 08.02.2015, Matthias Schniedermeyer wrote: > > > > You need something to compare the passphrase to, and that's the hash. > > > How would you check the validity of the entered passphrase otherwise? > > > A plain text comparison is obviously impossible. > > > With Plain the password can't be verified, the dm-crypt device is setup > > and if the password was wrong, the "decrypted" device contains garbage. > > Containers usually have a means to test if the password is correct, > > plain does not. > > I tried to keep it simple in my example. Although you're (of course) right, I > didn't write about "plain encryption" or "plain dmcrypt", but plain text > comparison, in order to explain why there is the need for e.g. a hash. > As you point out, with plain dmcrypt the only possibility is actually > using the password and checking if the "decrypted" data based on it > makes any sense. Form a purely practical perspective, the difference usually negligible. Wile plain dm-crypt mounting fails at the mount-stage due to wrong filesystem signatures, LUKS mounting fails at the decrypt stage. From an attacker's perspecive, the difference is also small, except that all the iteration in LUKS adds a massive amount of computational effort. The data in the LUKS header does not help the attacker at all. It does take a look at the details (as so often in crypto protocols) to see that though. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-08 9:23 ` Arno Wagner @ 2015-02-08 9:55 ` Milan Broz 2015-02-08 10:09 ` U.Mutlu 2015-02-09 3:13 ` Arno Wagner 0 siblings, 2 replies; 24+ messages in thread From: Milan Broz @ 2015-02-08 9:55 UTC (permalink / raw) To: dm-crypt On 02/08/2015 10:23 AM, Arno Wagner wrote: > On Sun, Feb 08, 2015 at 09:19:54 CET, Heinz Diehl wrote: > Form a purely practical perspective, the difference usually negligible. > Wile plain dm-crypt mounting fails at the mount-stage due to wrong > filesystem signatures, LUKS mounting fails at the decrypt stage. Beware, there are some combinations of the encryption mode + IV which decrypts the first block correctly in both cases, so fs returns correct signature but fs is obviously corrupted... if you are not lucky, fsck will run and breaks the fs irrecoverably... This cannot happen with LUKS. See here that the ext3 device created with ESSIV still have visible signature with plain IV: # echo "password" | cryptsetup create -c aes-cbc-essiv:sha256 -s 256 x /dev/sdb # mkfs -t ext3 -q /dev/mapper/x # blkid -p /dev/mapper/x /dev/mapper/x: UUID="f46ba5d8-8c26-4589-ac09-cb0829f2804f" SEC_TYPE="ext2" VERSION="1.0" TYPE="ext3" USAGE="filesystem" ... use fs # cryptsetup close x And now thy mistake with plain IV: # echo "password" | cryptsetup create -c aes-cbc-plain -s 256 x /dev/sdb # blkid -p /dev/mapper/x /dev/mapper/x: UUID="f46ba5d8-8c26-4589-ac09-cb0829f2804f" SEC_TYPE="ext2" VERSION="1.0" TYPE="ext3" USAGE="filesystem" # mount /dev/mapper/x /mnt/tst mount: wrong fs type, bad option, bad superblock on /dev/mapper/x, missing codepage or helper program, or other error ... DO NOT use plain mode if you are not sure what you are doing. Really. There is a detached LUKS header which is better, the issues I mentioned in man about detached header page are side problems, nothing serious for most users. (But obviously depends on your threat model.) Milan ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-08 9:55 ` Milan Broz @ 2015-02-08 10:09 ` U.Mutlu 2015-02-08 10:33 ` Milan Broz 2015-02-09 3:13 ` Arno Wagner 1 sibling, 1 reply; 24+ messages in thread From: U.Mutlu @ 2015-02-08 10:09 UTC (permalink / raw) To: dm-crypt Milan Broz wrote, On 02/08/2015 10:55 AM: > On 02/08/2015 10:23 AM, Arno Wagner wrote: >> On Sun, Feb 08, 2015 at 09:19:54 CET, Heinz Diehl wrote: > >> Form a purely practical perspective, the difference usually negligible. >> Wile plain dm-crypt mounting fails at the mount-stage due to wrong >> filesystem signatures, LUKS mounting fails at the decrypt stage. > > Beware, there are some combinations of the encryption mode + IV which decrypts > the first block correctly in both cases, so fs returns correct signature > but fs is obviously corrupted... if you are not lucky, fsck will run > and breaks the fs irrecoverably... > > This cannot happen with LUKS. > > See here that the ext3 device created with ESSIV still have visible signature > with plain IV: > > # echo "password" | cryptsetup create -c aes-cbc-essiv:sha256 -s 256 x /dev/sdb > # mkfs -t ext3 -q /dev/mapper/x > # blkid -p /dev/mapper/x > /dev/mapper/x: UUID="f46ba5d8-8c26-4589-ac09-cb0829f2804f" SEC_TYPE="ext2" VERSION="1.0" TYPE="ext3" USAGE="filesystem" > > ... use fs > # cryptsetup close x > > And now thy mistake with plain IV: > > # echo "password" | cryptsetup create -c aes-cbc-plain -s 256 x /dev/sdb > # blkid -p /dev/mapper/x > /dev/mapper/x: UUID="f46ba5d8-8c26-4589-ac09-cb0829f2804f" SEC_TYPE="ext2" VERSION="1.0" TYPE="ext3" USAGE="filesystem" > > # mount /dev/mapper/x /mnt/tst > mount: wrong fs type, bad option, bad superblock on /dev/mapper/x, > missing codepage or helper program, or other error > ... > > DO NOT use plain mode if you are not sure what you are doing. Really. > > There is a detached LUKS header which is better, the issues I mentioned in man > about detached header page are side problems, nothing serious for most users. > (But obviously depends on your threat model.) > > Milan But isn't it just saying that the mount cannot be done because something is wrong, ie. wrong/incomplete cipher param was given? What happens if you repeat the whole with the correct params? And, should one not use "/dev/sdb1" etc. instead of "/dev/sdb"? -- cu Uenal ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-08 10:09 ` U.Mutlu @ 2015-02-08 10:33 ` Milan Broz 0 siblings, 0 replies; 24+ messages in thread From: Milan Broz @ 2015-02-08 10:33 UTC (permalink / raw) To: U.Mutlu, dm-crypt On 02/08/2015 11:09 AM, U.Mutlu wrote: >> And now thy mistake with plain IV: >> >> # echo "password" | cryptsetup create -c aes-cbc-plain -s 256 x /dev/sdb >> # blkid -p /dev/mapper/x >> /dev/mapper/x: UUID="f46ba5d8-8c26-4589-ac09-cb0829f2804f" SEC_TYPE="ext2" VERSION="1.0" TYPE="ext3" USAGE="filesystem" >> >> # mount /dev/mapper/x /mnt/tst >> mount: wrong fs type, bad option, bad superblock on /dev/mapper/x, >> missing codepage or helper program, or other error >> ... >> >> DO NOT use plain mode if you are not sure what you are doing. Really. > But isn't it just saying that the mount cannot be done > because something is wrong, ie. wrong/incomplete cipher param was given? For this particular case, yes. But no idea what happen if you try to run fsck or other tool. > What happens if you repeat the whole with the correct params? Depends if there were write IO to that wrongly mapped device and what these writes destroyed. The whole point of this exercise is to note that you must use and remember correct parameters if using plain mode, not only password. > And, should one not use "/dev/sdb1" etc. instead of "/dev/sdb"? No. Partition table is optional and it is not used on this disk. Milan ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-08 9:55 ` Milan Broz 2015-02-08 10:09 ` U.Mutlu @ 2015-02-09 3:13 ` Arno Wagner 1 sibling, 0 replies; 24+ messages in thread From: Arno Wagner @ 2015-02-09 3:13 UTC (permalink / raw) To: dm-crypt On Sun, Feb 08, 2015 at 10:55:35 CET, Milan Broz wrote: > On 02/08/2015 10:23 AM, Arno Wagner wrote: > > On Sun, Feb 08, 2015 at 09:19:54 CET, Heinz Diehl wrote: > > > Form a purely practical perspective, the difference usually negligible. > > Wile plain dm-crypt mounting fails at the mount-stage due to wrong > > filesystem signatures, LUKS mounting fails at the decrypt stage. > > Beware, there are some combinations of the encryption mode + IV which decrypts > the first block correctly in both cases, so fs returns correct signature > but fs is obviously corrupted... if you are not lucky, fsck will run > and breaks the fs irrecoverably... Indeed. My comments only apply to wrong key, they do _not_ apply to wrong other parameters! > This cannot happen with LUKS. > > See here that the ext3 device created with ESSIV still have visible signature > with plain IV: > > # echo "password" | cryptsetup create -c aes-cbc-essiv:sha256 -s 256 x /dev/sdb > # mkfs -t ext3 -q /dev/mapper/x > # blkid -p /dev/mapper/x > /dev/mapper/x: UUID="f46ba5d8-8c26-4589-ac09-cb0829f2804f" SEC_TYPE="ext2" VERSION="1.0" TYPE="ext3" USAGE="filesystem" > > ... use fs > # cryptsetup close x > > And now thy mistake with plain IV: > > # echo "password" | cryptsetup create -c aes-cbc-plain -s 256 x /dev/sdb > # blkid -p /dev/mapper/x > /dev/mapper/x: UUID="f46ba5d8-8c26-4589-ac09-cb0829f2804f" SEC_TYPE="ext2" VERSION="1.0" TYPE="ext3" USAGE="filesystem" > > # mount /dev/mapper/x /mnt/tst > mount: wrong fs type, bad option, bad superblock on /dev/mapper/x, > missing codepage or helper program, or other error > ... > > DO NOT use plain mode if you are not sure what you are doing. Really. I second that! Arno > There is a detached LUKS header which is better, the issues I mentioned in > man about detached header page are side problems, nothing serious for most > users. (But obviously depends on your threat model.) > > Milan > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-07 18:03 ` Heinz Diehl 2015-02-07 23:16 ` Matthias Schniedermeyer @ 2015-02-08 3:07 ` Arno Wagner 1 sibling, 0 replies; 24+ messages in thread From: Arno Wagner @ 2015-02-08 3:07 UTC (permalink / raw) To: dm-crypt On Sat, Feb 07, 2015 at 19:03:56 CET, Heinz Diehl wrote: > On 07.02.2015, dennis@basis.uklinux.net wrote: > > > My conclusion would have been that if the passphrase is > > initially at least as secure as a random key, then hashing can never > > increase security but may decrease it. > > You need something to compare the passphrase to, and that's the hash. > How would you check the validity of the entered passphrase otherwise? > A plain text comparison is obviously impossible. Note that "compare" here may also mean things like "decrypt something with it and see whether that has some expected checksum" and even more complex ways of "comparing". The base case of storing a password in hashed form, as for example, the unix /etc/passwd file is only one form of doing it, namely the form necessary when doing authentication. Authetication delivers 1 bit as result, a 1 for "yes, this is the guy he claime to be" and a 0 for the other case. LUKS for example does not do authentication, but key protection. That is different. Its result is a key used for encryption and hence the result is, for example, 128 bit or 256 bit. Hence LUKS does not store any hashed passwords. Instead it tries to reconstruct the master key from the anti-forensic stripes and then checks whether this really is the master-key, again in a way indirect enough that the stored information that in the end is compared against does not help to find the master key. Gr"usse, Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-07 17:27 ` dennis 2015-02-07 18:03 ` Heinz Diehl @ 2015-02-08 2:59 ` Arno Wagner 1 sibling, 0 replies; 24+ messages in thread From: Arno Wagner @ 2015-02-08 2:59 UTC (permalink / raw) To: dm-crypt On Sat, Feb 07, 2015 at 18:27:48 CET, dennis@basis.uklinux.net wrote: > On Fri, Feb 06, 2015 at 07:27:29PM +0100, Arno Wagner wrote: > > >(b) Assuming a secure passphrase, wouldn't plain mode be more > > > secure than luks against possible vulnerabilities in the hashing > > > algorithm that may be discovered in the future? > > > > No. First, plain mode also hashes. And second, basically all > > potential vulnerabilities of modern hash functions (collisions, > > reversing) do not apply to the use as pasword-hashing functions. > > You can hash passwords with MD5 and be perfectly secure, while MD5 > > is fully broken for things like signing. > > Thank you for answering my questions. I take your point about > plausible deniability, but your remarks about hashing have raised > further questions for me. I had been given to understand that > passphrase hashing makes a dictionary attack more costly or time > consuming by forcing the attacker to evaluate the hash function for > each passphrase attempted, and I have just checked the FAQ for > confirmation. That is not what the hashing of the plain-text password is for. You are confusing several things here: 1. Password hashing from ASCII string to binary key 2. Salting 3. Iterated hashing The 1. step sinply serves to transform the entropy of your password/passphrase into something that can be fed as key to a cipher. The cipher takes 128 bit or 256 bit of key material, ideally with about 128 bit or 256 bit of entropy. Your passphrase, on the other hand, may be, say 10...50 ascii characters, but on a bit-level ASCII has low entropy. If it is, for example, an anglish sentence, you get only about 0.2...0.3 bit/bit of entropy in it. And if you just cut it down to, say, 128 bit, you end up with a 26 bit key for the cipher, which is trivially broken. Hashing with a crypto hash is the solution. The initial hash compresses the passphrase into a concentrated form that is all binary and has the same entropy as the input up to the maximum possible. You lose a tiny bit (0.00...001 bits or so) due to hash collisions, but they are so rare as not to matter. If your passphrase is shorter, the hash still makes you an all binary key with the entropy nicely dirtributed over all bits. Ok, so what is salting for? Salting meians instead of hash(password) you do hash(pasword+salt) with the salt random, non-secret and appended to the password. This servers to defeat dictionary attacks. A dictionary attack takes a large table of potentiall hasswords, and stores all hashes of these in a table sorted by the hash valye. This means given a hash, you can retrieve the password (if it was in the initial table size) in O(log(tablesize)) time by binary search. That is exceptionally fast and can be done en-masse. The only potential problem is the table size. So what salting does is that for each potential salt valyue, you need a separate table. That makes pre- computing the table and re-using the table for several attacks infeasible, and you are down to directly trying all hash(password+salt) for the known salt. Note that for attacking a single password, these tables (called "rainbow tables) do not help you. In fact, making a rainbow table iis more effort than the direct attack (called "brute force"), as you need to sort and store the table. But if you were to attack, say, 250 Million or 8 Billion passwords, then rainbow tables make this possible while individual attacks would be infeasible or exeptionally expensive. And then we have the hash iteration. The has iteration served to drive the cost of each individual password try up. So for brute force, you try a lot of hash(password). If you hash is, say, a single sha256, each step takes, say 2us. That means you can try something like 500'000 passwords per sesond on a typical PC on each CPU core. What iteration does is to use hash(hash(.....hash(password)...)) instead, with LUKS so that it takes 1 second of iteration on container creation. Suddenly, each attack try takes 1 second on said srtandard PC CPU and the attacker can try 1 password per second. Here you has a small entopy loss in each iteration, dure to collisions. Modern hash functions have very few collisions, so for iteration couns of a few million these do not matter at all, but just to be safe, iteration is not done directly, but via PBKDF2, that incorporates salting and hashing in such a way that the entropy loss is prevented. Of course, there is still the problem that specialized hardware and garphics cards can hash faster. This is currently in the process of being solved by the "Password Hashing Competition" https://password-hashing.net/ The result will likely be a memory-hard password hashing function, that iterates in such a way that it needs a specific amount of memory (e.g. 1GB would be a sensible value on a PC) in order to have normal speed and will suffer exponential speed-down if less memory is available. Graphisc cards usually only have 32...64k of fast memory per "CPU" in there and will not be faster for these functions. FPGAS and other ASICS suffer the same problem: you cannot put a lot of memory in them. > It would seem to follow that a hash algorithm > sufficiently prone to collisions would diminish security by not taking > full advantage of the available key space, possibly to the point of > making a well informed search of the key space more practical than a > dictionary attack. Indeed. That is why a crypto-hash is used. They are not probe to collisions at all, as that is one of their central design criteria. Even broken algorithms like MD5 do not have excessive collisions, but they have some that are (relatively) easy to find. The worst for MD5 are that you can cleverly manipulate the plain-text in order to get a different one with the same hash-value. This allows you to change an X.509 certificate. Note that this is not easy to do and only some changes are possible, but in some cases you can, for example, turn an ordinary certificate into a CA certificate: http://www.wired.com/2008/12/berlin/ Note that this requires you to have the plain-text that was hashed and hence does not impact password hashing at all. > In the degenerate case of a totally stupid hash > algorithm that hashes every passphrase to exactly the same key, the > attacker need only try that particular key and not even evaluate the > hash function. In a less extreme case where the algorithm maps low > entropy passphrases to some keys with higher probability than others, > some of the attacker's work is done for him if he starts with the more > probable keys. My conclusion would have been that if the passphrase is > initially at least as secure as a random key, then hashing can never > increase security but may decrease it. If this is a misconception, can > you please correct it? Indeed. You are thinking of hash functions, but not hash functions as used in crypto. For convenience, the term "crypto" is dropped from "crypto-hash" when discussing cryptographic applications. This is admittedly a constant source of confusion for newcomers until somebody explains it to them. When discussing anything crypto, you say "hash-function" for cryoptographic hash functions and you say "conventional hash function" when you mean non-cryptographic ones. For a conventional hash function, such as used in hash-tables, collisions are a nuisance, but unavoidable in most cases. Hence you try to avoid them, but not very hard. Although modern variants like SIP-hash or SpookyHash are pretty good at it. Cryptograohic hash functions, on the other hand, critically need high collision resistance (i.e. rare and hard to find collisions even if somebody actively searches for them) and hence are entirely different birds. They basically do the same as normal hashes, but with some very strict additional requirements, among them collisions resistance, hard to invert, etc. Now, why not just use only crypto-hashes, also in hash-tables? Simple: Crypoto hashes would work well in that application, but they are much slower than conventional hashes and much more complex to implement. Hence they are used only in special cases for hash-tables. I hope this clears things up a bit. Gr"usse, Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-05 23:51 ` Arno Wagner 2015-02-06 14:01 ` dennis @ 2015-02-06 14:04 ` U.Mutlu 2015-02-06 18:20 ` Arno Wagner 1 sibling, 1 reply; 24+ messages in thread From: U.Mutlu @ 2015-02-06 14:04 UTC (permalink / raw) To: dm-crypt Arno Wagner wrote, On 02/06/2015 12:51 AM: > On Thu, Feb 05, 2015 at 15:04:39 CET, U.Mutlu wrote: >> U.Mutlu wrote, On 02/05/2015 02:53 PM: >>> Arno Wagner wrote, On 02/05/2015 12:54 PM: >>>> On Wed, Feb 04, 2015 at 14:30:17 CET, U.Mutlu wrote: >>>>> Quentin Lefebvre wrote, On 02/04/2015 02:02 PM: >>>>>> Hi, >>>>>> >>>>>> Le 04/02/2015 13:33, U.Mutlu a écrit : >>>>>>> Hi, >>>>>>> what happens if an encrypted filesystem (plain, no LUKS) >>>>>>> next time is opened accidently with a wrong password, >>>>>>> and new data written to it? Will the filesystem then become >>>>>>> damaged/unusable? >>>>>> >>>>>> What typically happens when you use a wrong password is that the >>>>>> cryptsetup create/open command is indeed successful, but mounting your >>>>>> partition will fail (because the filesystem is not detected). So you >>>>>> have few chance to accidentally damage a filesystem, even in plain >>>>>> mode. >>>>> >>>>> I tried this out now, and indeed that's cool! >>>>> Thank you for this useful tip, it spares me to study further >>>>> also the LUKS stuff, as plain is IMHO sufficient for my needs. >>>>> The main drawback with plain seems to be that one cannot change >>>>> the password, instead one needs to re-enrcrypt into a new file/device. >>>> >>>> That, you have only one password, and you do not get some >>>> additional protection for weak passwords from salting and >>>> iteration. With a good, passphease plain is about as secure >>>> as LUKS, namely not breakable. (See FAQ item 5.1 for details >>>> of what "good" means.) >>>> >>>> Arno >>> >>> Yes, and one better should create a password by using a password hasher like >>> the following: >>> $ echo mypassword | hashalot -x -s mysalt sha256 >>> 5d9de7f56a469782ff8a6be363418f62d6f93e33c3adb5c216e7e9c2f9947240 >>> and pass the result to the target (of course using something else for >>> "mypassword" and "mysalt"). >> >> Oh, I forgot to mention: with such a strong password >> "plain" is IMHO more secure than "luks" b/c plain offers >> no attack vectors (ie. metadata headers). > > Actually, it is not. I do disagree on the hashalot approach > as well. If your passphrase is weak enough that a dictionary > attack has a reasonable success of working (and a dictionary > attack is the only thing the salt that hashalot adds helps > against), then you are pretty deep in insecure territory and > _need_ the hash iteration that LUKS provides, but which is > missing from both plain and hashalot. > > Aso, you can simulate a salt directly with plain as follows: > Just give your passphrase and append the known salt. That is > about as secure as the more complicated approach with hashalot. > > The other thing is that the LUKS metadata-headers do not make > attacks any easier. They do _not_ provide "attack vectors". > Salts are per definition not secret. If you make the salt > secret, you are doing it wrong. Instead append the secret to > the passphrase and add a non-secret salt. The only other thing > an attacker gets is the iteration count. That one does not > add a lot of protection if unknown (after all, the iteration > time is known and likely also the CPU it was done on), but > its needed for deriving the key in legitimate unlocks. > > Please do not spread unsubstantiated rumors. It is hard enough > these days for non-experts to decide what crypto to trust > and what not. Rumors of the kind "metadata headers offer > attack vectors" make this even worse. > > Arno IMO that's a question of logic: A security system which stores the password in its header (ie. LUKS) cannot be secure against another system ("plain") that does nowhere store the password. In the case of LUKS the attacker knows more about the system than in the case of "plain". Ergo "plain" is more secure than LUKS. LUKS uses a static master key (as does plain). The slot passwords are for authenticating the access to the filesystem by the management tool (cryptsetup) only. Ie. the slot passwords have nothing to do with the encryption. cu Uenal ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dm-crypt] plain: opening with a wrong password 2015-02-06 14:04 ` U.Mutlu @ 2015-02-06 18:20 ` Arno Wagner 0 siblings, 0 replies; 24+ messages in thread From: Arno Wagner @ 2015-02-06 18:20 UTC (permalink / raw) To: dm-crypt On Fri, Feb 06, 2015 at 15:04:25 CET, U.Mutlu wrote: [...] > IMO that's a question of logic: > A security system which stores the password in its header (ie. LUKS) > cannot be secure against another system ("plain") that does nowhere > store the password. That is an argument from information-theoretical security. In this realm, plain _does_ store the key with the encrypted data, unless that has no structure at all. Information-theoretical analysis is nice theoretically, but basically irrelevant for the real world. This argument is also presented in any good course on introduction to cryptography. > In the case of LUKS the attacker knows more about the system > than in the case of "plain". Ergo "plain" is more secure than LUKS. Sorry, but wrong, see above. > LUKS uses a static master key (as does plain). The slot passwords > are for authenticating the access to the filesystem by the > management tool (cryptsetup) only. Ie. the slot passwords have > nothing to do with the encryption. Seriously? Have you even looked at the spec or at the definition of terms like "authentication"? Plese stop discussion things you clearly do not understand. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2015-02-09 3:13 UTC | newest] Thread overview: 24+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-02-04 12:33 [dm-crypt] plain: opening with a wrong password U.Mutlu 2015-02-04 13:02 ` Quentin Lefebvre 2015-02-04 13:30 ` U.Mutlu 2015-02-05 11:54 ` Arno Wagner 2015-02-05 13:53 ` U.Mutlu 2015-02-05 14:04 ` U.Mutlu 2015-02-05 23:51 ` Arno Wagner 2015-02-06 14:01 ` dennis 2015-02-06 14:19 ` Michael 2015-02-06 14:47 ` U.Mutlu 2015-02-06 18:27 ` Arno Wagner 2015-02-07 17:27 ` dennis 2015-02-07 18:03 ` Heinz Diehl 2015-02-07 23:16 ` Matthias Schniedermeyer 2015-02-08 8:19 ` Heinz Diehl 2015-02-08 9:23 ` Arno Wagner 2015-02-08 9:55 ` Milan Broz 2015-02-08 10:09 ` U.Mutlu 2015-02-08 10:33 ` Milan Broz 2015-02-09 3:13 ` Arno Wagner 2015-02-08 3:07 ` Arno Wagner 2015-02-08 2:59 ` Arno Wagner 2015-02-06 14:04 ` U.Mutlu 2015-02-06 18:20 ` Arno Wagner
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.