On 9 Jul 2020 15:35 -0500, from adamjp@xxxxxxxxxxx (adam peterson): > What is meant by passphrase strengthening exactly and how is it > accomplished? LUKS doesn't actually "strengthen the passphrase" per se. LUKS uses the passphrase given to it by the user. What's done is that the passphrase provided by the user is hashed, and then the hash is hashed, and then that hash is hashed, and so on, for a large number of iterations (normally somewhere in the range of low hundreds of thousands to low millions of iterations; the exact value depends on the performance of the system where the passphrase was set and the iteration time selected at that time). The "passphrase" value that actually gets used is the final output hash from this series of hashing operations. At least for LUKS 1, this is the number shown by "cryptsetup luksDump" under "key slot" -> "iterations". This means that even though a single hash iteration is quite fast, an attacker has to run the hash function a large number of times for each candidate passphrase that they want to check, thereby greatly slowing down an attack on the passphrase itself. The effective increase in difficulty of an attack on the passphrase becomes approximately log2(n) bits, for an interation count of _n_. For example, if the passphrase iteration count is 500000, this adds a work factor of approximately 19 bits on top of the actual strength of the passphrase. For a 18-character [a-zA-Z0-9] passphrase selected entirely at random, that's the difference between a work factor of about 2^107 and about 2^126. (The latter being just about what AES-128 with a well-selected random key gets you against current publicly known attacks.) Similarly, an eminently memorable, properly generated six-word Diceware passphrase gives you a work factor on its own of about 2^76, which might be within reach for a determined attacker; with the same 500000 iterations, about 2^95, which is considerably harder. None of this excuses you from selecting a good passphrase, but it _does_ mean that using a less than perfect passphrase isn't as bad as it would otherwise be. -- Michael Kjörling • https://michael.kjorling.se • michael@xxxxxxxxxxx “Remember when, on the Internet, nobody cared that you were a dog?” _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
