From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp2-2.goneo.de (smtp2-2.goneo.de [85.220.129.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Sat, 3 Jan 2015 00:25:30 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by smtp2.goneo.de (Postfix) with ESMTP id F14FC23F03E for ; Sat, 3 Jan 2015 00:18:31 +0100 (CET) Received: from smtp2.goneo.de ([127.0.0.1]) by localhost (smtp2.goneo.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id twHiQS1Ijcpa for ; Sat, 3 Jan 2015 00:18:31 +0100 (CET) Received: from chstpc-2.fritz.box (aftr-185-17-204-88.dynamic.mnet-online.de [185.17.204.88]) by smtp2.goneo.de (Postfix) with ESMTPSA id E704823EFFD for ; Sat, 3 Jan 2015 00:18:30 +0100 (CET) Message-ID: <1420240701.2680.36.camel@genodeftest.de> From: Christian Stadelmann Date: Sat, 03 Jan 2015 00:18:21 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-lFRzzGs6cOcDnhCbOX4f" Mime-Version: 1.0 Subject: [dm-crypt] security: improve defaults List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de --=-lFRzzGs6cOcDnhCbOX4f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi I find several defaults in cryptsetup are less secure than they can be. Below I list them with some comments: cipher: aes-cbc-essiv (default in plain mode) There are known attacs against aes-cbc-essiv which lead to using aes-xts as default cipher in LUKS mode. Is there any reason why it should not be used in plain mode? key size: 256 (default) For using aes256 (which is the default cipher in LUKS mode) the key size should be 512 bit since XTS splits the supplied key. hash: sha1 (default) SHA-1 is considered weak for some years, SHA-2 is widely available. Is there any reason against using SHA-2? Since hashing is only done once sha512 could be default. iter-time: 1000 (default) could be increased. random number pool: /dev/urandom (default) this should definitely be `--use-random` as default, you should never use /dev/urandom for long-term crypto keys. It may result in using low-entropy keys which obviously must not happen. It might take some time to gather enough entropy, but that is ok since performance is not relevant for an operation done once. Additionaly I think it would be best to disable the option `--use-urandom` completely. key derivation function: PBKDF2 PBKDF2 is easy to implement in FPGAs or ASICs which reduces its strength. It is safe enough for today but scrypt is a good alternative.=20 To summarize: Strong crypto is available. It should be default. Regards Chris --=-lFRzzGs6cOcDnhCbOX4f Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIcBAABCgAGBQJUpydGAAoJEFlxPhHTbxwowN8QALsqtFvOcrBmvu2o7KlpYsWj QdAYwDN5GOjDG9DM638WX79hZ2oLpcTLcxEOJYVyi1zBruCaiWRsjl0vGyrPR0jX 7mM6D271yHdGN307RmMB23sCvZnm036oUe5qZ4JUV4+BFVPRYYb7hoM9DVKORA0O 5x3Fy0VuONEhbdfvB57fUGrdtzRJjvbG48uojQXe7GNLb5Ln/TkItmkpKgZuv4Ro nc4YxBudtF6S3MRobTgfm3TatDpk3W3YN+v8vgKy4BnIfJJmjqwmDXH1J8HZKB+1 4iar1ZpgpGp/1AGRoDnpL2+AavQ2rBU5VCBI8a/T6Qa/j0oFOO9rDNdcLfelyiYX oxKFYn8l2Svt1/kKu1GKNdpywmyX5JFYGTNoCinCYG3YEzCUEEVls8Jo6lwFc2pF mIgu0DkBKp4uXqTjMRWh+SW+A/O79EbKn/PZK/XoSlLI9YVJ7MI2tmvzpjW71P5/ SKNJn89Cw9/hmBf9rt+i0Nw0z3qdFXo5SdUqkHsSlHoVhX+zxgk8NvHOf2MWboDh r2aLGariYXB4boxVnj4iavsypq2tLqXHfEmnXuERhvYoqJ+0K1T1IeD1muR5h/h9 n019k10v7JSomdGO+KNYuNMg4R4pfUEN7oBphLnVp/ZLynuT/tahBLC86Rk+CcH1 VzQN1cZSJJUXiTgyIqM0 =2/Vg -----END PGP SIGNATURE----- --=-lFRzzGs6cOcDnhCbOX4f--