Re: some questions on dm-crypt/cryptsetup and LUKS2+integrity

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2018-11-20 at 17:05 +0100, Milan Broz wrote:
> For AF, any hash function is ok (it just diffuses the information
> to multiple sectors, this is a basic property all hash functions
> provide).
> 
> (AF makes no much sense with modern drives anyway, the slot
> encryption
> and KDF is where the security is important.) 
Well but here too, it would be good if cryptsetup warns for anything
that's not sane... e.g. if hash algo xyz would be not fine with the
KDF.

Or like when you said -plain64 shouldn't be used with AEAD... or
-random shouldn't be used with non-AEAD.


> I think LUKS key digest were discussed here several times and it is
> apparent
> candidate for FAQ.
> 
> No, it is not a weak point. Digest is just a convenient way how to
> check that
> candidate decrypted key form keyslot key is correct.
Ah I see.. well then it's clear of course.

> We are checking availability of encryption in kernel by calling
> encryption of one sector. But I did not yet implemented this function
> for AEAD modes. So it fails too late - yes, it is ugly, but we will
> fix it.
Well at least it already fails "properly"... i.e. giving an error
message and exit code non-0.


> You already found one nice bug (non-existant hash is written to
> metadata),
> and it was consequence of two issues. The first one is our apparent
> fault
> (missing check, despite TODO in code:-) and one very old bug in
> AF/LUSK1
> (this part of code is shared; it lost the error exit code, it
> otherwise
> failed much earlier).
> Fixed already in devel branch, but it need more review.

You've also noted that it seems to store bogus key-sizes?
Like when I did:
>cryptsetup --batch-mode --verbose --use-random --hash sha512 --pbkdf argon2id --cipher morus640-random --key-size 1024 --integrity aead --type luks2 luksFormat /dev/loop0 key
it gave:
>Keyslots:
>  0: luks2
>        Key:        1024 bits
but AFAIU, MORUS640 should always have 128, while for MORUS1280 it's
256, right?


Last thing I don't understand:
Why - despite of using e.g. MORUS - does it still give me aes-xts-
plain64 in the keyslot?:
>Keyslots:
>  0: luks2
>        Key:        512 bits
>        Priority:   normal
>        Cipher:     aes-xts-plain64
>        PBKDF:      argon2id
>        Time cost:  4
>        Memory:     1048576
>        Threads:    4

?

Thanks,
Chris.

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt



[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux