Louis,
Thanks for this. Yes, I would like the makefile and configure.ac files.
Last year I encountered the very problem your program is meant to avoid:
It was months since I entered my LUKS passphrase and I'd forgotten it.
With the hope that I might remember it one day, I mounted the disk in
another machine and wrote a bash script to try out passphrases on it...
but I haven't discovered it yet. Now I'm looking for other options.
So two questions:
Will this program work on just the LUKS header? Or does it work only on
the entire mount point (with all the data therein included)?
Is there a delay of some seconds required between invocations?
Thanks much.
On 06/19/2012 06:53 AM Louis wrote:
Hello,
for information, I wrote a small C program to check if the given
passphrase is correct, without doing anything on the disk. The command
is used this way:
$ cryptsetup_check_passphrase /dev/sda1
Enter passphrase for /dev/sda1:<MY_SECRET_PASSPHRASE>
Valid key (slot 0)
$
If you think it can benefit cryptsetup, I offer to write the necessary
patch to include it to cryptsetup (as a "luksValidateKey" LUKS action).
# why do I need such a command ?
We are a group of hacktivists who offer some online services (such as
email addresses). Our disks are encrypted using LUKS. As we are six
members operating the server, and we reboot it only a few times a year,
it may happen that some of us only use the passphrase once in two years,
which is prone to forgetting. So we want a way to, once in a while (at
our monthly meetings), check that we still know our passphrase, without
risking to do something on the disk (creating, removing partition,
deleting passphrases, etc.).
# Security risks
Isn't this function a wonderful tool to try brute force attacks ? I do
not think so. Attacker needs to be root to run it, at which point (s)he
can already do a lot of harmful things. Moreover, once (s)he is root,
attacker might as well compile the program I just wrote to try this
brute force attack. To sum up: Yes, it can be used to brute force the
partition, but nothing more that what was possible to do without this tool.
Regards,
Louis
PS : Not to overload this list with many files, I only give
you here the C code. If you want the makefile and configure.ac, just ask.
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<libcryptsetup.h>
void usage() {
printf("cryptsetup_check_passphrase LUKSDEVICE\n");
}
int check_passphrase(const char* device_name) {
int keyslot;
int error;
int status;
struct crypt_device *cd = NULL;
if ((error = crypt_init(&cd, device_name))) {
printf("Could not open device \"%s\": %s\n", device_name,
strerror(-error));
return 1;
}
if ((error = crypt_load(cd, NULL, NULL))) {
printf("Could not load device \"%s\": %s\n", device_name,
strerror(-error));
return 1;
}
keyslot = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT, NULL,
0, 0);
if (keyslot>= 0) {
printf("Valid key (slot %u)\n", keyslot);
status = 0;
} else {
printf("No matching key found: %s\n", strerror(-keyslot));
status = 1;
}
crypt_free(cd);
return status;
}
int main( int argc, const char* argv[] ) {
int status;
/* Parsing arguments */
if (argc != 2) {
usage();
return 1;
}
/* Check */
status = check_passphrase(argv[1]);
return status;
}
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
