From: Michael Halcrow <lkml@halcrow.us>
To: Phillip Susi <psusi@cfl.rr.com>
Cc: Michael Halcrow <mhalcrow@us.ibm.com>,
akpm@osdl.org, phillip@hellewell.homeip.net,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
viro@ftp.linux.org.uk, mcthomps@us.ibm.com, yoder1@us.ibm.com,
toml@us.ibm.com, emilyr@us.ibm.com, daw@cs.ber
Subject: Re: eCryptfs Design Document
Date: Sun, 26 Mar 2006 12:04:58 -0600 [thread overview]
Message-ID: <20060326180458.GA10056@halcrow.us> (raw)
In-Reply-To: <4426CB05.2070604@cfl.rr.com>
On Sun, Mar 26, 2006 at 12:10:29PM -0500, Phillip Susi wrote:
> Michael Halcrow wrote:
> >The mount-wide passphrase in the user session keyring is actually
> >not necessary to keep around after the mount process is finished in
> >this release, and we will likely alter the design and
> >implementation for the 0.1 release to just remove it once the file
> >key encryption key is associated with the eCryptfs superblock
> >object on mount.
>
> I see, so for now you import the key from the keyring into the
> superblock at mount time, but in the future you will directly use
> the key from the keyring as needed?
Yes. Since that's going to be ``in the future,'' it makes sense just
to remove it from the keyring after the mount is complete for now.
> >>Are you saying that you salt the passphrase, hash that, then hash
> >>the hash, then hash that hash, and so on? What good does repeatedly
> >>hashing the hash do? Simply hashing the salted passphrase should be
> >>sufficient to obtain a key.
> >
> >This approach is only used to help make dictionary attacks against the
> >passphrase a bit harder.
>
> Isn't that what adding the salt is for? You add 16 bits of salt so that
> a pre hashed dictionary would require 65,536 different hashes per
> passphrase permutation.
The salt in eCryptfs is 64 bits (8 octets, per the spec of the
iterated and salted S2K; see Section 3.6.1.3 RFC 2440). Without the
iterated hashing, the raw dictionary generation will require storage
on the scale of 2^64 multiplied by the size of the dictionary. I think
this is big enough to address any attacks that involve pre-computed
dictionaries, as you have already pointed out.
The dictionary attack that I have in mind that I would like to make a
``bit'' harder is the dedicated attack against one particular file. If
an attacker just wants to attack the passphrase on that file, then
without iterated hashing, the difficulty is roughly proportional (in
aggregate) to half size of the dictionary. If the passphrase is weak,
then the file will likely be compromised anyway, but at least an
iterated hash multiplies the amount of work that the dictionary
attacker needs to do by the number of iterations.
The question then is whether the additional hashing effort on the part
of a legitimate user has a good cost/benefit security tradeoff. If the
passphrase is strong and if the user is having to do the iterated hash
on every file in a large directory, then the tradeoff is probably
bad. If the passphrase is weak, the user can tolerate the overhead of
iterated hashing on file opens, and the attacker has limited
computational resources, then the tradeoff might be good. Ultimately,
that is the sort of thing I would like to be configurable via policy
in later versions of eCryptfs.
Keep in mind that, for the current release of eCryptfs, the iterated
hashing only happens once per mount, not once per file, and so there
is very little cost to the user, and it has at least some security
benefit, so why not do it? Note that this will change in later
versions, as a different salt is generated for each file in the
system, but it will also be configurable in later versions.
Mike
next prev parent reply other threads:[~2006-03-26 18:10 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-03-24 22:25 eCryptfs Design Document Michael Halcrow
2006-03-24 23:12 ` James Morris
2006-03-27 16:17 ` Michael Thompson
2006-03-27 16:52 ` Michael Halcrow
2006-03-24 23:49 ` Andrew Morton
2006-03-25 0:13 ` Michael Halcrow
2006-03-25 0:33 ` Andrew Morton
2006-03-25 7:38 ` Miklos Szeredi
2006-03-27 23:31 ` Michael Halcrow
2006-03-28 16:00 ` Stephen C. Tweedie
2006-03-29 20:14 ` Michael Halcrow
2006-03-25 19:28 ` Phillip Susi
2006-03-25 19:50 ` Michael Halcrow
2006-03-26 17:10 ` Phillip Susi
2006-03-26 18:04 ` Michael Halcrow [this message]
2006-03-27 0:05 ` Phillip Hellewell
2006-03-27 2:53 ` Phillip Susi
2006-03-27 16:10 ` Michael Thompson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060326180458.GA10056@halcrow.us \
--to=lkml@halcrow.us \
--cc=akpm@osdl.org \
--cc=daw@cs.ber \
--cc=emilyr@us.ibm.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcthomps@us.ibm.com \
--cc=mhalcrow@us.ibm.com \
--cc=phillip@hellewell.homeip.net \
--cc=psusi@cfl.rr.com \
--cc=toml@us.ibm.com \
--cc=viro@ftp.linux.org.uk \
--cc=yoder1@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).