On Tue, Apr 28, 2009 at 6:05 PM, Arno Wagner <arno@xxxxxxxxxxx> wrote: > The salt is an anti-forensic measure, making the pre-building of > tables more difficult. It needs to be weakly non-predictable > and typically is weak key-grade. The mk-digest is an identifier > that has a default value and can come only from a short > list of names, so an attack can try them all with little > effort. > > So, no, the salt is a real, likely unsolvable, problem, > with close to 256 bits of entropy that would need to be guessed, > while the mk-digest represents likely less than 2 bits in practice, > maybe just a tiny bit more than one with most people using the > default. > > Arno My understanding of mk-digest, mk-digest-salt and mk-digest-iter appears to be in conflict with your own. Page 7: "The master key is checksummed, so a correct master key can be detected. To future-proof the checksumming, a hash is not only applied once but multiple times. In fact, the PBKDF2 primitive is reused. The master key is feed into the PBKDF2 process as if it were a user password. After the iterative hashing, the random chosen salt, the iteration count and the result are stored in the phdr." As I understand it not having access to mk-digest-salt is not much of an issue. The real issue is that he's overwritten the first 6 and a bit keyslots and thus lost the salts and iteration counts stored in each slot. But if he was using slot 8, he'd be in luck. -- Roscoe --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
