From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <wagner@tansi.org>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id gGFpl1y5BadJ for <dm-crypt@saout.de>;
 Wed,  1 Feb 2012 09:19:45 +0100 (CET)
Received: from v4.tansi.org (ns.km33513-03.keymachine.de [87.118.94.3])
 by mail.saout.de (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Wed,  1 Feb 2012 09:19:45 +0100 (CET)
Received: from gatewagner.dyndns.org (84-74-163-71.dclient.hispeed.ch
 [84.74.163.71]) by v4.tansi.org (Postfix) with ESMTPA id B8DE6204BF7
 for <dm-crypt@saout.de>; Wed,  1 Feb 2012 09:19:44 +0100 (CET)
Date: Wed, 1 Feb 2012 09:19:42 +0100
From: Arno Wagner <arno@wagner.name>
Message-ID: <20120201081941.GA3750@tansi.org>
References: <A4B905E0-1D6B-43A9-8703-01F8887986C8@das-labor.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <A4B905E0-1D6B-43A9-8703-01F8887986C8@das-labor.org>
Subject: Re: [dm-crypt] New Luks Format Specification (1.3)
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

Hi Zaolin,

On Wed, Feb 01, 2012 at 08:59:10AM +0100, Philipp Deppenwiese wrote:
> Hi,
> 
> i am Zaolin from the German hackerspace "Das Labor".

Never heard of it, sorry. 

> The last month I concentrated on how to change the luks specification to
> be state of the art.  Up to now we still use SHA-1 as default algorithm
> for PBKDF2 in luks.  

SHA-1 is not a security problem when used in this fashion.

> The next problem is the excessive use of parallel
> bruteforcing systems like ASIC, FPGA or GPUGPU technology.  A new key
> derivation function is needed in order to raise the complexity of
> bruteforce attacks against the luks key derivation function. 

No, it is not. At the very worst, a higher iteration count may
be needed, but that question involves a trade-off that is 
regularly discussed here, see the mailing-list archives.

> If someone
> sends me the *.tex file of the luks specification, i will update and post
> it for review.

I doubt there is need for that. Please post your cryptoanalytic
results here, so that we can have a look. If you are trying
for a large-memory key-derivation function, please note that
a) this was discussed here recently (if I remember correctly,
I do remember that I was in some discussion about it and that
the large-memory property was doubtful at best) and that 
b) it is unclear whether a large memory property, if 
ensured, will even help.

Also note that against a determined or hogh-ressource attacker, 
the only help is a high-entropy passphrase, as has been discussed 
on this list several times and is clearly stated in the FAQ.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell