Re: [dm-crypt] Alternate KDFs (Key Derivation Functions) in cryptsetup

[Milan Broz <gmazyland@gmail.com>]

On 18.6.2013 1:47, Mike wrote:
> Hi,
> 
> I started some work on adding changes to the cryptsetup code to allow
> for the use of different KDFs during key derivation, as it's a
> feature I believe would be useful. I was thinking of adding both
> bcrypt and scrypt as available alternative KDFs that the user may
> choose from.  As I didn't wish to alter the current header structure,
> if there's a different KDF used during format, that KDF would have to
> be specified during volume open, as well any other relevant
> operations.
> 
> If I created a patch for all the changes and submitted them for
> review, would there be an interest in incorporating them into the
> main cryptsetup branch? I've already incorporated the scrypt
> reference implementation into the cryptsetup codebase and confirmed
> that the official test vectors match the output. I would also be
> interested in helping out with any other updates that might need to
> be made.

Hi,

if you used the latest code you can see that code is almost ready
to add another KDF.

So definitely there is a plan to add more KDFs in future as needed,
if they are proven to be secure, idealy defined in some standard or RFC,
but I would like to see more widely use before it can become part of main
branch.

Anyway, you can always post patches for testing.
Please attach it to http://code.google.com/p/cryptsetup/issues/detail?id=119
(or send it to this list if you do not want use Google account).

But I definitely prefer if scrypt (or another KDF) is part of crypto library and
cryptsetup uses just wrapper over this library.

(PBKDF2 is implemented in core because of historic reasons and
it is only fallback now - only if configured crypto backend doesn't
provide PBKDF2, internal implementation is used. The same should apply
for other KDF as well.)

Thanks,
Milan