Re: [dm-crypt] different default key sizes for CREATE and LUKSFORMAT

[Milan Broz <mbroz@redhat.com>]

On 11/18/2009 11:25 AM, Arno Wagner wrote:
> I am not sure this really is a security issue. It may confuse users,
> but they will still be secure. Most probably use defaults anyways.

Or distro installation defaults.. e.g. Fedora12 installer switched
to AES in XTS mode (with 512bit - so it uses AES-256)...

> But if we change this, I propose to make aes-cbc-essiv:sha256
> the default for plain dm-crypt and to increase LUKS key length 
> to 256 bits as well. The performance loss is apparently very 
> small (10% or so).

I thought about default change for LUKS in cryptsetup 1.1.0, but...

For default LUKS cipher:

I agree with switching default to 256bits for LUKS)
(aes-cbc-essiv:sha256 is already default), just some ideas

- some discussions about recent theoretic attacks against AES-256
(related key), maybe some people want use AES-128...

- for recent kernel, XTS mode is more appropriate, but it cause
backward incompatibility (XTS is not available in old kernels)
(IOW default to aes-xts-plain ?)

(Ignoring the 32-only plain IV problem here, because XTS suggested use
is for volumes <1TB. I have already patch for plain64 dm-crypt IV btw,
just it got lost in Alasdair's upstream patch queue.)

For default LUKS header hash:

- default is SHA1

switching to another (probably SHA-256?) means complete incompatibility
with all cryptsetup <1.1.x, this need some time when all most distros
use new cryptsetup.
No need to hurry, there is no problem with SHA1 in this application
of hash function.

For plain cipher mode:

I am not sure if it is good idea to change default, if anyone using
default in crypttab, it cause serious incompatibility with possible data loss.
But I agree that aes-cbc-essiv:sha256 is better default here.

Can distro maintainers think about this? There is not problem
for encryption of swap using random key.
Maybe it will need some warning during upgrade if there is such plain
volume in crypttab.

Please correct me if I am wrong:-)

So, if there are no objections, I'll change default key size for LUKS to 256bits
in final cryptsetup 1.1.0 release. The plain default is still open question.

Milan
--
mbroz@redhat.com