dm-crypt, new IV and standards - Carl-Daniel Hailfinger

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Carl-Daniel Hailfinger <c-d.hailfinger.kernel.2004@gmx.net>
To: christophe@saout.de
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Andrew Morton <akpm@osdl.org>
Subject: dm-crypt, new IV and standards
Date: Thu, 19 Feb 2004 23:06:02 +0100	[thread overview]
Message-ID: <4035334A.7030407@gmx.net> (raw)

Hi,

after having read what I believe to be all dm-crypt related mails on lkml,
I have a question which I could not find an answer for:
(and I noticed Andrew Morton worrying about backwards compatibility)

Would it be sensible (AFAICS there is not technical limitation) to reserve
512/1024/2048/whatever bytes at the beginning of every backing device for
dm-crypt so that the dm-crypt device could get some info about the used
methods automatically?

So this meta-information superblock could contain the following:
- A magic string like CRYPTSPACE (like SWAPSPACE2)
- The key used to encrypt the device (the key would be encrypted with the
password)
- The IV algorithm used
- The cipher used
- The way the password was hashed
- If some conversion was underway last time the dm-crypt device was accessed

This way, the following benefits would appear:
- New dm-crypt devices can be differentiated from old cryptoloop ones
- Since the password is independent of the key, you can change the
password without reencrypting the entire device.
- Since the key is independent of the password, you can change the key,
reencrypt the entire device and still keep your old password.
- You can change the default IV to something more secure than the current
default one without having to fear userland breakage.
- There are multiple ways to hash a password and with the current scheme
we have to try all of them if we do not know which version of the tools
was used to create the file.
- If the device is currently being reencrypted and is halfway through and
the power fails, we would know that some part of the device is old
encryption and some part is new encryption.
- New (more secure) crypto algorithms/ IV generation schemes/ passphrase
hashing schemes could be added (or even made default) without violating
the principle of least surprise.

I am not an expert in crypto, so if you tell me this would reduce security
or cause other problems, I will accept that. I am aware that the more
information an attacker has, the easier it is for him to break the encryption.


Regards,
Carl-Daniel

next             reply	other threads:[~2004-02-19 22:07 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-02-19 22:06 Carl-Daniel Hailfinger [this message]
2004-02-19 22:20 ` dm-crypt, new IV and standards Christophe Saout
2004-02-20 17:22   ` Jean-Luc Cooke
2004-02-20 21:26     ` James Morris
2004-02-20 21:52       ` 2.6.3 adaptec I2O will not compile David Lang
2004-02-25 16:25         ` Adrian Bunk
2004-02-26  8:02           ` Jaco Kroon
2004-02-26  8:08             ` David Lang
2004-02-26  9:28               ` Jaco Kroon
2004-02-26 10:24                 ` David Lang
2004-02-21  0:31       ` dm-crypt, new IV and standards Carl-Daniel Hailfinger
2004-02-21 16:48       ` Jean-Luc Cooke
2004-02-21 17:36         ` Jean-Luc Cooke
2004-02-21 19:01         ` Andreas Jellinghaus
2004-03-03  8:35         ` dean gaudet
2004-03-03 15:06           ` Jean-Luc Cooke
2004-03-03 21:40             ` David Wagner
2004-03-08 19:58               ` Jean-Luc Cooke
2004-03-04  1:48             ` dean gaudet
2004-03-04 13:24               ` Jean-Luc Cooke
2004-03-04 17:44                 ` David Wagner
2004-03-05  1:19                 ` dean gaudet
2004-03-05  2:14                   ` Jean-Luc Cooke
2004-03-04 15:08             ` Pavel Machek
2004-03-07  4:14               ` DM for detecting bad disks was: " Mike Fedyk
  -- strict thread matches above, loose matches on Subject: below --
2004-02-22 19:20 Adam J. Richter
2004-02-22 20:53 ` Christophe Saout

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4035334A.7030407@gmx.net \
    --to=c-d.hailfinger.kernel.2004@gmx.net \
    --cc=akpm@osdl.org \
    --cc=christophe@saout.de \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox