Hi I find several defaults in cryptsetup are less secure than they can be. Below I list them with some comments: cipher: aes-cbc-essiv (default in plain mode) There are known attacs against aes-cbc-essiv which lead to using aes-xts as default cipher in LUKS mode. Is there any reason why it should not be used in plain mode? key size: 256 (default) For using aes256 (which is the default cipher in LUKS mode) the key size should be 512 bit since XTS splits the supplied key. hash: sha1 (default) SHA-1 is considered weak for some years, SHA-2 is widely available. Is there any reason against using SHA-2? Since hashing is only done once sha512 could be default. iter-time: 1000 (default) could be increased. random number pool: /dev/urandom (default) this should definitely be `--use-random` as default, you should never use /dev/urandom for long-term crypto keys. It may result in using low-entropy keys which obviously must not happen. It might take some time to gather enough entropy, but that is ok since performance is not relevant for an operation done once. Additionaly I think it would be best to disable the option `--use-urandom` completely. key derivation function: PBKDF2 PBKDF2 is easy to implement in FPGAs or ASICs which reduces its strength. It is safe enough for today but scrypt is a good alternative. To summarize: Strong crypto is available. It should be default. Regards Chris
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
