From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mail.saout.de (Postfix) with ESMTP for ; Tue, 22 Sep 2009 18:21:53 +0200 (CEST) Received: from int-mx05.intmail.prod.int.phx2.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.18]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n8MGLqfX015727 for ; Tue, 22 Sep 2009 12:21:52 -0400 Received: from [10.36.4.72] (vpn1-4-72.ams2.redhat.com [10.36.4.72]) by int-mx05.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id n8MGLp4A032733 for ; Tue, 22 Sep 2009 12:21:51 -0400 Message-ID: <4AB8F99E.4080307@redhat.com> Date: Tue, 22 Sep 2009 18:21:50 +0200 From: Milan Broz MIME-Version: 1.0 References: <200909182039.44953.dmcrypt-list@tpesonen.net> <4AB3CE76.5040502@redhat.com> <200909182318.26032.dmcrypt-list@tpesonen.net> <200909221808.28418.dmcrypt-list@tpesonen.net> <20090922161449.GA11479@fancy-poultry.org> In-Reply-To: <20090922161449.GA11479@fancy-poultry.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] Question on LUKS master key digest and its effect on?security List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Heinz Diehl wrote: > On 22.09.2009, Tero Pesonen wrote: > As far as I understand the source, MK iterations is the iterations used to > derive the master key via PBKDF2 (mkDigestIterations), and what you can specify by using > "--iter-time" is the iterations used to transform a passphrase into a key > for one of the keyslots (passwordIterations), used to unlock the master key. --iter-time applies to PBKDF2 in keyslot calculation, NOT to MK digest verification, here is iteration count fixed. See PBKDF2 use in LUKS_verify_master_key() vs LUKS_set_key(). Milan