On Fri, Feb 06, 2015 at 07:27:29PM +0100, Arno Wagner wrote: > >(b) Assuming a secure passphrase, wouldn't plain mode be more > > secure than luks against possible vulnerabilities in the hashing > > algorithm that may be discovered in the future? > > No. First, plain mode also hashes. And second, basically all > potential vulnerabilities of modern hash functions (collisions, > reversing) do not apply to the use as pasword-hashing functions. > You can hash passwords with MD5 and be perfectly secure, while MD5 > is fully broken for things like signing. Thank you for answering my questions. I take your point about plausible deniability, but your remarks about hashing have raised further questions for me. I had been given to understand that passphrase hashing makes a dictionary attack more costly or time consuming by forcing the attacker to evaluate the hash function for each passphrase attempted, and I have just checked the FAQ for confirmation. It would seem to follow that a hash algorithm sufficiently prone to collisions would diminish security by not taking full advantage of the available key space, possibly to the point of making a well informed search of the key space more practical than a dictionary attack. In the degenerate case of a totally stupid hash algorithm that hashes every passphrase to exactly the same key, the attacker need only try that particular key and not even evaluate the hash function. In a less extreme case where the algorithm maps low entropy passphrases to some keys with higher probability than others, some of the attacker's work is done for him if he starts with the more probable keys. My conclusion would have been that if the passphrase is initially at least as secure as a random key, then hashing can never increase security but may decrease it. If this is a misconception, can you please correct it? _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
