On Thu, Jul 02, 2009 at 02:30:16PM +0200, Thomas F?ssler wrote: > Hi, > > I wonder if I could use an arbitrary file (i.e. a picture or pdf-document) > as a keyfile for my LUKS partition. Usually I created some random files > (dd'ing from /dev/random). Which one is more secure? And what should the > size be? > > Thanks The random files are more secure, because the picture or PDF document could be available to others. If you assume, for example 1 billion pictures to try, that means a picture only contains about 30 bits of entropy, which is not a lot. On the other hand a random keyfile needs only as many bits as the key is long, as it has close to 1 bit of entropy per bit contained. In fact the only reason to make a randome keyfile larger than the length of the key is an increased chance to successfully erase it when overwriting, much like the "anti forensic stripes" in LUKS. This is for cryptographically strong randomness of course, but /dev/random delivers that. As for concrete key size, it appears that the input is hashed by default with ripemd160 by cryptsetup and then the 160 bit is used as key for AES-256. If ripemd160 was perfect, 160 bit file lenght for random file would be enough. In practice, I would say use something like 256 bit (32 Bytes) with cryptographically strong randomness, and more for data with less entropy. The way this works is that the hash aggregates the entropy up to its output size. So if you put in 1MB with 100 bits of entropy in it, y6ou hash gives you 160 bits (or whatever the hash output size) with allmost 100 bits of entropy in it. If your large file has 1000 bits of entropy, you gate almost 160 bits of entropy in the hash output. (The "almost" is more of a theretical caution here.) How much entropy is in data is a judgement call, but /dev/random is designed carefully (on Linux) and should deliver very close to 1 bit/bit entropy. Other sources are worse. For example, english text has something like 2 bit/character in entropy. A white noise sound sample may have less than 1bit/sample. A picture taken with a digital camera should be typically above 1 bit/pixel (due to noise), regardless of motiv, als long as it is somehow of average brightness, but take care that compression can reduce that. If you want to use something else than /dev/random, e.g. a picture taken with your camera, I advise overkill. Do a careful lower estimate (e.g. 1 bit/pixel in entropy) and then take 1000 times the size you need. So for 256 bits of entropy (which is enough for the cryptsetup defaults), use a 256000 pixel image. The traditional solution was to take a picture of a lava-lamp, btw.. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
