On Fri, 29 Nov 2013 02:03:53 +0100 Arno Wagner <arno@xxxxxxxxxxx> wrote > On Fri, Nov 29, 2013 at 01:49:57 CET, anderson jackson wrote: > > On Fri, 29 Nov 2013 01:32:51 +0100 Arno Wagner <arno@xxxxxxxxxxx> wrote > > > > > If I understood this right, it is plain(luks(data)) > > > > No actually I meant plain(plain(data)). Therefore you won't see the luks > > header when the attacker finds the correct pass but just random data. > > > > That is not really more secure than just plain with the two > passphrases concatenated (as long as the entropy does not > exceed the key length). No reason to do this, except if you > mistrust the ciphers and want to use two different ones. My knowledge about the subject is only skin deep. However I feel as if I am missing something and in addition to that I must have explained myself poorly. What I was suggesting is cascading two identical ciphers (both AES) in plain mode with two independent passphrases one for the first plain block device and another for the second one. /dev/sdx = random data /dev/mapper/cascade1 = random data /dev/mapper/cascade2 = file system Let’s say an attacker is using brute force to find the passphrase and let’s say the tries he has performed includes the first passphrase. When that passphrase was tried the decrypted result would have been random data just as if it were a wrong passphrase. The attacker has no way of knowing that there is a cascade since there is no header or other identifiable markers. So even when he finds the correct passphrase it would appear to be a failed attempt because he only gets random data. He would have to try to brute force the passphrase for the second plain block device for each of the used phrases of the first block device. Jackson ____________________________________________________________ South Africas premier free email service - www.webmail.co.za Cotlands - Shaping tomorrows Heroes http://www.cotlands.org.za/ _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
