On Tue, Apr 28, 2009 at 07:48:23PM +1000, Roscoe wrote: > On Tue, Apr 28, 2009 at 6:05 PM, Arno Wagner <arno@xxxxxxxxxxx> wrote: > > The salt is an anti-forensic measure, making the pre-building of > > tables more difficult. It needs to be weakly non-predictable > > and typically is weak key-grade. The mk-digest is an identifier > > that has a default value and can come only from a short > > list of names, so an attack can try them all with little > > effort. > > > > So, no, the salt is a real, likely unsolvable, problem, > > with close to 256 bits of entropy that would need to be guessed, > > while the mk-digest represents likely less than 2 bits in practice, > > maybe just a tiny bit more than one with most people using the > > default. > > > > Arno > > My understanding of mk-digest, mk-digest-salt and mk-digest-iter > appears to be in conflict with your own. > > Page 7: > "The master key is checksummed, so a correct master key can be > detected. To future-proof the checksumming, a hash is not only applied > once but multiple times. In fact, the PBKDF2 primitive is reused. The > master key is feed into the PBKDF2 process as if it were a user > password. After the iterative hashing, the random chosen salt, the > iteration count and the result are stored in the phdr." > > As I understand it not having access to mk-digest-salt is not much of > an issue. The real issue is that he's overwritten the first 6 and a > bit keyslots and thus lost the salts and iteration counts stored in > each slot. > > But if he was using slot 8, he'd be in luck. Hmm. I may remember the LUKS on-disk specification wrongly here. I will have a look at it again. Possibly I am confusing the salt in the header and the salt in the keyslots. The key material itself is actually not impacted as it is stored after the 8 keyslots, with a size in MBs for each key. Arno > > -- Roscoe > > --------------------------------------------------------------------- > dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ > To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx > For additional commands, e-mail: dm-crypt-help@xxxxxxxx > -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
