On Wed, Mar 11, 2015 at 21:42:56 CET, Sven Eschenberg wrote: > I guess it is the typical misconception the OP fell for. > > Tradional PW hashing works like: PW->hash->store digest (well hopefully > the PW is salted a priori). So any collision will obviously yield a proper > auth. Yes, looks like it. But sha1 is not broken for hash-only collisions (i.e. "weak" reversing) at this time either. Not even MD5 is, AFAIK. So even with that, there would be no problem. Add to that that we are using iterated hashing, and any problem vanishes. LUKS is really a very conservative design. > In contrast, with LUKS the digest is used for key candidate verification. > so key->hash->digest check. Check is positive, key is accepted, yet it > will naturally give unuseable data instead of cleartext, as it is not the > correct key. Depends. It may stil be the correct one. But yes, the attack is more complicated as you need to find all collisions, not just one and the value actually checked does not get any entropy-reduction unlike the password case. That is a far more difficult attack. In particular, if you use the current defaults, you have a 512 bit key in total. Even if SHA1 were fully reversible, it could not leak more than 160 bits of entropy and hence you would still have something like 350 bits. A more conservative estimate would say 80 bits of the key and 80 bits of the XTS "seed value" (forgot the name) would leak, hence reducing key strength to 160 bit or the like. All quite secure at this time. Even the absolute worst-case where sha1 would leak 160 bits of the key and the XTS seed does not add any security would leave 96 bits of key intact and be secure at this time. > > Wasn't there a section in the FAQ explaining this more thoroughly? Maybe > the section is not 'foolproof' enough as this issue keeps recurring? There is just one that says sha1 is not broken for the uses in LUKS. As averybody has some variant of the possible misconceptions, I think it is better to answer them individually. Maybe I will expand on the FAQ item on SHA1 if the "sha1 is broken" messages get annoying. Gr"usse, Arno > Regards > > -Sven > > > > On Wed, March 11, 2015 21:06, Arno Wagner wrote: > > On Wed, Mar 11, 2015 at 20:16:09 CET, Martin, David K. wrote: > >> I have a question about dmcrypt. If the MK digest is the output of SHA1, > >> wouldn't the master key be the weakest point the the setup? SHA1 one > >> only > >> provide 80 bits of security and that can't be changed. > > > > First, sha1 provides 160 bits for the use at hand. Second, the > > master key is derived from /dev/(u)random and as good as the platform > > allows. And third, the MK digest is the result of 1000 iterations of > > pbkdf2 with sha1. > > > > I do not follow your argument at all. > > > >> All an attacker have to do is seek a collision in SHA1 to get the master > >> key.. > > > > No. An attacker has to _reverse_ sha1, which is far, far harder. > > Against reversing, SHA1 is secure at this time. > > > >> There would be absolutely no point in going after the password > >> especially if you use a 512 bit hash like SHA512 or WHIRLPOOL. Those two > >> provide 256 bits of security. The 80 bits of security for the master key > >> is > >> the weak point in the setup. > > > > Seriusly, they would _not_ be more secure. In fact, a longer hash > > would possibly leak _more_ of the master key. As SHA1 has only > > 160 bits, it could not leak more than 160 bits of a 256 bit or 512 bit > > key. At the same time SHA512 could leak the full key. > > > >> > >> Am I understanding that right? > > > > Sorry, but not at all. You should look again at what specific > > scenarios SHA1 is broken for. The use in cryptsetup is not among > > them. All breaks of sha1 at this time need at least to know one > > input, but usually have to _selevt_ both inputs to sha1. In > > cryptsetup for the MK hash, the unoyt is unknown to the attacker > > and cannot be selected by the attacker either. > > > > Arno > > -- > > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx > > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D > > 9718 > > ---- > > A good decision is based on knowledge and not on numbers. -- Plato > > > > If it's in the news, don't worry about it. The very definition of > > "news" is "something that hardly ever happens." -- Bruce Schneier > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@xxxxxxxx > > http://www.saout.de/mailman/listinfo/dm-crypt > > > > > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
