On Fri, Jan 10, 2014 at 07:25:57 CET, Iggy wrote: > Would you mind explaining hash-spec? Meaning that there is no internal > mechanism to use different hashes/detect which has was used on a given > volume? > > Thanks for your time! > > -Iggy (Follow-up to the list, because others may wonder this too, also correction, as I posted nonsense. Sorry about that.) If you look at the header specification linked here: http://code.google.com/p/cryptsetup/wiki/Specification in Figure 1 you find the cipher and mode for the actual disk encryption, and the "hash-spec" which is the hash-function used by PBKDF2. Sorry, I was confused yesterday, you can change the hash. (I had just though about PBKDF2 which you cannot easily change to, say, scrypt...) Now the thing is that while you can change SHA-1 to, say, SHA-512, the attacks on SHA-1 are preimage collisions, i.e. you can find two input values that hash to the same value. That means an attacker could possibly create a second passphrase for one he already knows in plain which is not useful and hence this vulnerability of SHA-1 has no effect. (Actually this even is harder, I am simplifying here...) What these attacks are useful for is, for example, creating two certificates with different identities in them but the same hash. Then you can have one signed by some authority, but use the otehr one with the different identity in it as the auhority signs the hash, not the actual identity in the certificate. For MD5, this is really easy. For SHA-1 it is just about becomming feasible. But this is completely useless for reversing a hash and that is what an attacker would need to do in LUKS. And he would need to reverse an iterated hash, iterated, e.g., 200'000 times on my test machine. Reversing a hash is usually only possible by brute-force, attacks that make this much easier require very serious flaws in the hash. There are no such attacks for SHA-1 that I am aware of, and certainly none for an iterated SHA-1. So changing the hash does not do anything, really as the attacker can only try to brute-force the passphrase and that takes the same effort for SHA-1 and for SHA-512. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult. --Tony Hoare _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
