I guess it is the typical misconception the OP fell for. Tradional PW hashing works like: PW->hash->store digest (well hopefully the PW is salted a priori). So any collision will obviously yield a proper auth. In contrast, with LUKS the digest is used for key candidate verification. so key->hash->digest check. Check is positive, key is accepted, yet it will naturally give unuseable data instead of cleartext, as it is not the correct key. Wasn't there a section in the FAQ explaining this more thoroughly? Maybe the section is not 'foolproof' enough as this issue keeps recurring? Regards -Sven On Wed, March 11, 2015 21:06, Arno Wagner wrote: > On Wed, Mar 11, 2015 at 20:16:09 CET, Martin, David K. wrote: >> I have a question about dmcrypt. If the MK digest is the output of SHA1, >> wouldn't the master key be the weakest point the the setup? SHA1 one >> only >> provide 80 bits of security and that can't be changed. > > First, sha1 provides 160 bits for the use at hand. Second, the > master key is derived from /dev/(u)random and as good as the platform > allows. And third, the MK digest is the result of 1000 iterations of > pbkdf2 with sha1. > > I do not follow your argument at all. > >> All an attacker have to do is seek a collision in SHA1 to get the master >> key.. > > No. An attacker has to _reverse_ sha1, which is far, far harder. > Against reversing, SHA1 is secure at this time. > >> There would be absolutely no point in going after the password >> especially if you use a 512 bit hash like SHA512 or WHIRLPOOL. Those two >> provide 256 bits of security. The 80 bits of security for the master key >> is >> the weak point in the setup. > > Seriusly, they would _not_ be more secure. In fact, a longer hash > would possibly leak _more_ of the master key. As SHA1 has only > 160 bits, it could not leak more than 160 bits of a 256 bit or 512 bit > key. At the same time SHA512 could leak the full key. > >> >> Am I understanding that right? > > Sorry, but not at all. You should look again at what specific > scenarios SHA1 is broken for. The use in cryptsetup is not among > them. All breaks of sha1 at this time need at least to know one > input, but usually have to _selevt_ both inputs to sha1. In > cryptsetup for the MK hash, the unoyt is unknown to the attacker > and cannot be selected by the attacker either. > > Arno > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D > 9718 > ---- > A good decision is based on knowledge and not on numbers. -- Plato > > If it's in the news, don't worry about it. The very definition of > "news" is "something that hardly ever happens." -- Bruce Schneier > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
