[dm-crypt] How to get PBKDF settings of an existing key slot via libcryptsetup ?

[dm-crypt] How to get PBKDF settings of an existing key slot via libcryptsetup ?

[Ingo Franzki]

Hi,

is there a way to get the PBKDF settings (struct crypt_pbkdf_type) of an existing key slot in a LUKS2 volume via the libcryptsetup API? 

This question is related to the default PBKDF algorithm Argon2i for LUKS2 and the out-of-memory errors that you might get when you unlock multiple LUKS2 volumes during system startup via /etc/crypttab.

One of my application uses crypt_keyslot_add_by_key() to add a new unbound key slot. Unfortunately this new key slot gets the default PBKDF settings, thus it gets Argon2i. I guess if I would use crypt_set_pbkdf_type() before to set PBKDF2, then the new key slot would get PBKDF2 instead of Argon2i. However, I don't want to hard code PBKDF2 here, but I would like to use the PBKDF settings of the key slot that was unlocked before. So I would need a way to get the PBKDF settings of a key slot and then use crypt_set_pbkdf_type() with those settings before calling crypt_keyslot_add_by_key(). That way the new key slot would get the same PBKDF settings as the current one.

Using crypt_get_pbkdf_type() seems to return the default PBKDF algorithm, thus Argon2i for LUKS2. 

Kind regards,
Ingo

-- 
Ingo Franzki
eMail: ifranzki@linux.ibm.com  
Tel: ++49 (0)7031-16-4648
Fax: ++49 (0)7031-16-3456
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany

IBM Deutschland Research & Development GmbH / Vorsitzender des Aufsichtsrats: Matthias Hartmann
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/

Re: [dm-crypt] How to get PBKDF settings of an existing key slot via libcryptsetup ?

[Milan Broz]

Hi Ingo,

On 31/01/2019 11:14, Ingo Franzki wrote:
> Hi,
> 
> is there a way to get the PBKDF settings (struct crypt_pbkdf_type) of an existing key slot in a LUKS2 volume via the libcryptsetup API? 

Not yet, but see below.

> 
> This question is related to the default PBKDF algorithm Argon2i for LUKS2 and the out-of-memory errors that you might get when you unlock multiple LUKS2 volumes during system startup via /etc/crypttab.
> 
> One of my application uses crypt_keyslot_add_by_key() to add a new unbound key slot. Unfortunately this new key slot gets the default PBKDF settings, thus it gets Argon2i. I guess if I would use crypt_set_pbkdf_type() before to set PBKDF2, then the new key slot would get PBKDF2 instead of Argon2i. However, I don't want to hard code PBKDF2 here, but I would like to use the PBKDF settings of the key slot that was unlocked before. So I would need a way to get the PBKDF settings of a key slot and then use crypt_set_pbkdf_type() with those settings before calling crypt_keyslot_add_by_key(). That way the new key slot would get the same PBKDF settings as the current one.
> 
> Using crypt_get_pbkdf_type() seems to return the default PBKDF algorithm, thus Argon2i for LUKS2. 

Yes, you describe exactly how I intended to use it. (I guess your use key is s390 crypto, so PBKDF2 ok, because it is wrapped key for crypto accelerator,
without the hw attacker cannot run offline attacks here.)

But since we can now get per-keyslot encryption in LUKS2 through API, there should be also way how to get specific keyslot PBKDF setting (and not only the default).

It should be relatively simple, so I tried to add such a call - it something like this what you need?
  https://gitlab.com/cryptsetup/cryptsetup/commit/8c3be56418248ef5b96265f901122effa88e446b

Thanks,
Milan

Re: [dm-crypt] How to get PBKDF settings of an existing key slot via libcryptsetup ?

[Ingo Franzki]

On 04.02.2019 14:22, Milan Broz wrote:
> Hi Ingo,
Hi Milan,
> 
> On 31/01/2019 11:14, Ingo Franzki wrote:
>> Hi,
>>
>> is there a way to get the PBKDF settings (struct crypt_pbkdf_type) of an existing key slot in a LUKS2 volume via the libcryptsetup API? 
> 
> Not yet, but see below.
> 
>>
>> This question is related to the default PBKDF algorithm Argon2i for LUKS2 and the out-of-memory errors that you might get when you unlock multiple LUKS2 volumes during system startup via /etc/crypttab.
>>
>> One of my application uses crypt_keyslot_add_by_key() to add a new unbound key slot. Unfortunately this new key slot gets the default PBKDF settings, thus it gets Argon2i. I guess if I would use crypt_set_pbkdf_type() before to set PBKDF2, then the new key slot would get PBKDF2 instead of Argon2i. However, I don't want to hard code PBKDF2 here, but I would like to use the PBKDF settings of the key slot that was unlocked before. So I would need a way to get the PBKDF settings of a key slot and then use crypt_set_pbkdf_type() with those settings before calling crypt_keyslot_add_by_key(). That way the new key slot would get the same PBKDF settings as the current one.
>>
>> Using crypt_get_pbkdf_type() seems to return the default PBKDF algorithm, thus Argon2i for LUKS2. 
> 
> Yes, you describe exactly how I intended to use it. (I guess your use key is s390 crypto, so PBKDF2 ok, because it is wrapped key for crypto accelerator,
> without the hw attacker cannot run offline attacks here.)
> 
> But since we can now get per-keyslot encryption in LUKS2 through API, there should be also way how to get specific keyslot PBKDF setting (and not only the default).
> 
> It should be relatively simple, so I tried to add such a call - it something like this what you need?
>   https://gitlab.com/cryptsetup/cryptsetup/commit/8c3be56418248ef5b96265f901122effa88e446b
> 
Yes, that's exactly what I need ! 
Thanks a lot !
> Thanks,
> Milan
> 
> 


-- 
Ingo Franzki
eMail: ifranzki@linux.ibm.com  
Tel: ++49 (0)7031-16-4648
Fax: ++49 (0)7031-16-3456
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany

IBM Deutschland Research & Development GmbH / Vorsitzender des Aufsichtsrats: Matthias Hartmann
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/

Re: [dm-crypt] How to get PBKDF settings of an existing key slot via libcryptsetup ?

[Ingo Franzki]

On 04.02.2019 14:44, Ingo Franzki wrote:
> On 04.02.2019 14:22, Milan Broz wrote:
>> Hi Ingo,
> Hi Milan,
>>
>> On 31/01/2019 11:14, Ingo Franzki wrote:
>>> Hi,
>>>
>>> is there a way to get the PBKDF settings (struct crypt_pbkdf_type) of an existing key slot in a LUKS2 volume via the libcryptsetup API? 
>>
>> Not yet, but see below.
>>
>>>
>>> This question is related to the default PBKDF algorithm Argon2i for LUKS2 and the out-of-memory errors that you might get when you unlock multiple LUKS2 volumes during system startup via /etc/crypttab.
>>>
>>> One of my application uses crypt_keyslot_add_by_key() to add a new unbound key slot. Unfortunately this new key slot gets the default PBKDF settings, thus it gets Argon2i. I guess if I would use crypt_set_pbkdf_type() before to set PBKDF2, then the new key slot would get PBKDF2 instead of Argon2i. However, I don't want to hard code PBKDF2 here, but I would like to use the PBKDF settings of the key slot that was unlocked before. So I would need a way to get the PBKDF settings of a key slot and then use crypt_set_pbkdf_type() with those settings before calling crypt_keyslot_add_by_key(). That way the new key slot would get the same PBKDF settings as the current one.
>>>
>>> Using crypt_get_pbkdf_type() seems to return the default PBKDF algorithm, thus Argon2i for LUKS2. 
>>
>> Yes, you describe exactly how I intended to use it. (I guess your use key is s390 crypto, so PBKDF2 ok, because it is wrapped key for crypto accelerator,
>> without the hw attacker cannot run offline attacks here.)
>>
>> But since we can now get per-keyslot encryption in LUKS2 through API, there should be also way how to get specific keyslot PBKDF setting (and not only the default).
>>
>> It should be relatively simple, so I tried to add such a call - it something like this what you need?
>>   https://gitlab.com/cryptsetup/cryptsetup/commit/8c3be56418248ef5b96265f901122effa88e446b
>>
> Yes, that's exactly what I need ! 
> Thanks a lot !

It would be nice if I could check via #ifdef if that new function is available or not. 
For example have a symbol in libcryptsetup.h that contains the current version:
#define LIBCRYPTSETUP_VERSION     0x00020006
That way one could use 
#ifdef LIBCRYPTSETUP_VERSION >= 0x00020006
to check for a feature.

That would allow me to write code that does not hardly depend on a certain cryptsetup version. If the new function is not there I could use PBKDF2 unconditionally, and when it is there I use the new function to find out what PBKDF is used by the existing keyslot. 


>> Thanks,
>> Milan
>>
>>
> 
> 


-- 
Ingo Franzki
eMail: ifranzki@linux.ibm.com  
Tel: ++49 (0)7031-16-4648
Fax: ++49 (0)7031-16-3456
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany

IBM Deutschland Research & Development GmbH / Vorsitzender des Aufsichtsrats: Matthias Hartmann
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/

Re: [dm-crypt] How to get PBKDF settings of an existing key slot via libcryptsetup ?

[Milan Broz]

On 04/02/2019 16:15, Ingo Franzki wrote:
> It would be nice if I could check via #ifdef if that new function is available or not. 
> For example have a symbol in libcryptsetup.h that contains the current version:
> #define LIBCRYPTSETUP_VERSION     0x00020006
> That way one could use 
> #ifdef LIBCRYPTSETUP_VERSION >= 0x00020006
> to check for a feature.

No, sorry, I am not going to provide such strings. Usually, it ends in a big confusion
(some distro backports patches without modifying define, etc.)

Also, the version of API is not the version of binaries (we use so lib versioning
that provides backward compatibility on the symbol level).

The proper way would be to use autoconf (or similar tool) that checks availability
of symbol and then it automatically defines HAVE_symbol in config.h, but I am not sure
if you can use it.

I'll try to squeeze it to 2.1 release, there will be some new defines as well,
so library name version will be updated appropriately.
In the worst case, you can probably "abuse" other defines that appears in libcryptsetup.h
(like CRYPT_LOG_DEBUG_JSON) in the same version.

Milan

Re: [dm-crypt] How to get PBKDF settings of an existing key slot via libcryptsetup ?

[Ingo Franzki]

On 04.02.2019 18:47, Milan Broz wrote:
> On 04/02/2019 16:15, Ingo Franzki wrote:
>> It would be nice if I could check via #ifdef if that new function is available or not. 
>> For example have a symbol in libcryptsetup.h that contains the current version:
>> #define LIBCRYPTSETUP_VERSION     0x00020006
>> That way one could use 
>> #ifdef LIBCRYPTSETUP_VERSION >= 0x00020006
>> to check for a feature.
> 
> No, sorry, I am not going to provide such strings. Usually, it ends in a big confusion
> (some distro backports patches without modifying define, etc.)
> 
> Also, the version of API is not the version of binaries (we use so lib versioning
> that provides backward compatibility on the symbol level).
> 
> The proper way would be to use autoconf (or similar tool) that checks availability
> of symbol and then it automatically defines HAVE_symbol in config.h, but I am not sure
> if you can use it.
> 
> I'll try to squeeze it to 2.1 release, there will be some new defines as well,
> so library name version will be updated appropriately.
> In the worst case, you can probably "abuse" other defines that appears in libcryptsetup.h
> (like CRYPT_LOG_DEBUG_JSON) in the same version.
> 
> Milan
> 
> 

I have now added support for calling crypt_keyslot_get_pbkdf(). 
Works great, with one little exception:

When getting a PBKDF from a key slot, the field time_ms is zero. 
When setting this PBKDF using crypt_set_pbkdf_type() I get an error that time can not be zero:
Message "Requested PBKDF target time cannot be zero." from function verify_pbkdf_params().

Looking at function LUKS2_keyslot_pbkdf() it seems that there is a little copy & paste error:

	if (json_object_object_get_ex(jobj_kdf, "iterations", &jobj))
		pbkdf->iterations = json_object_get_int(jobj);
	if (json_object_object_get_ex(jobj_kdf, "time", &jobj))
		pbkdf->iterations = json_object_get_int(jobj); <--- should set field time_ms, not iterations

Not a big deal, I can set time_ms manually before calling crypt_set_pbkdf_type() when it is zero.

-- 
Ingo Franzki
eMail: ifranzki@linux.ibm.com  
Tel: ++49 (0)7031-16-4648
Fax: ++49 (0)7031-16-3456
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany

IBM Deutschland Research & Development GmbH / Vorsitzender des Aufsichtsrats: Matthias Hartmann
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/

Re: [dm-crypt] How to get PBKDF settings of an existing key slot via libcryptsetup ?

[Milan Broz]

Hello Ingo,

On 14/02/2019 10:28, Ingo Franzki wrote:
> I have now added support for calling crypt_keyslot_get_pbkdf(). 
> Works great, with one little exception:
> 
> When getting a PBKDF from a key slot, the field time_ms is zero. 

Yes, it is zero here, because it is the time intended for a benchmark.
(IOW it says: benchmark the PBKDF and set parameters such a way, that unlocking should take approximately this time.)

This requested time is not stored in keyslot (only the final calculated values are stored here).

> When setting this PBKDF using crypt_set_pbkdf_type() I get an error that time can not be zero:
> Message "Requested PBKDF target time cannot be zero." from function verify_pbkdf_params().
> 
> Looking at function LUKS2_keyslot_pbkdf() it seems that there is a little copy & paste error:
> 
> 	if (json_object_object_get_ex(jobj_kdf, "iterations", &jobj))
> 		pbkdf->iterations = json_object_get_int(jobj);
> 	if (json_object_object_get_ex(jobj_kdf, "time", &jobj))
> 		pbkdf->iterations = json_object_get_int(jobj); <--- should set field time_ms, not iterations

The code is correct ;-)

It is tricky, for PBKDF2 it is named "iterations" , for Argon it is "time" (means time cost),
but it is in the end stored in the same pbkdf->iterations value.

Only one of the value is in JSON, so it will not overwrite..

I admit this is not the best solution but we had already stable data structure in API.

> Not a big deal, I can set time_ms manually before calling crypt_set_pbkdf_type() when it is zero.

If you want to run benchmark, then you need to set time_ms to requested value (default is 2000 ms).

The other option is to force reuse the same parameters and skip benchmark, then you can keep
time_ms value to 0 but you have to set pbkdf->flags bit CRYPT_PBKDF_NO_BENCHMARK.

Milan