Hello, I was looking into the LUKS implementation for a crypto related project. The field mkDigest in the LUKS header contains a PKDBF2 hash of the volume key, which I believe is indirectly used to verify the user passphrase. Eg, if mkDigest on disk does not match PBKDF2 of volume key decrypted with user passphrase, user passphrase is likely wrong. Correct? Is there any other purpose to it? Reason I'm asking: assuming that's the case, at passphrase insertion time there are at least 2 PBKDF2 that need to be computed - one to derive a key from the passphrase entered by the user, one to verify that the volume key is correct. Both eat time and CPU. If I was an attacker, though, I would not bother checking mkDigest at all. I would probably just try the guessed key to decrypt a disk block, and check for an ext4 or file system header, which I believe would be trivial to do (cost of decrypting a block for each attempted key, and look for common signatures). So.. is that PBKDF2 necessary? could we replace it by, for example, storing an encrypted one way hash of the volume key? Eg, compute volume key, use it to decrypt a small chunk of data, verify that the encrypted hash matches hash of volume key, without iterations or time/cpu complexity. My guess is that this would not significantly reduce the security of something like LUKS and/or increase the attack surface. Am I wrong? Did I miss anything I should be aware of? Thanks, Carlo _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
