All of lore.kernel.org
 help / color / mirror / Atom feed
From: Milan Broz <mbroz@redhat.com>
To: "Jorge Fábregas" <jorge.fabregas@gmail.com>
Cc: dm-crypt@saout.de
Subject: Re: [dm-crypt] MK Digest Size
Date: Sun, 10 Jul 2011 20:17:04 +0200	[thread overview]
Message-ID: <4E19ECA0.6070508@redhat.com> (raw)
In-Reply-To: <4E19D356.7020504@gmail.com>


On 07/10/2011 06:29 PM, Jorge Fábregas wrote:
> I'm new to DM-Crypt/LUKS and I'm wondering why is it that, when I format
> a partition (luksFormat) using --hash sha256, I still get to see 20 HEX
> characters (160 bits) for the MK digest?  Shouldn't I see 32 HEX chars
> (256 bits)?   Or is that sha256 is used in the PBKDF2 process but the
> function is instructed to deliver just 160 bits?

Yes, it uses sha256 but only first 20 bytes is stored. This is limitation
of the current LUKS on-disk header (20 bytes was fixed length of SHA1).

MK digest is just for verification that decrypted key is correct,
20 bytes is enough for that.

> One final thing just to make sure:  is the algorithm that appears under
> "Hash spec" in the header..is this the same hash-algorithm used (along
> with PBKDF2) for the user-keys? as well as the one used with PBKDF2 for
> the MK digest?

Yes, hash algorithm in LUKS header is used in PBKDF2 and AF splitter.

> The man page says for the hash option:   ...used in LUKS key setup
> scheme and volume key digest.  So it appears that "Hash spec" is used
> for both...but then, I don't understand why I get just 160 bits when I
> specify sha256 :(

See above, header structure is fixed, change would mean binary incompatibility.
Only MK digest is limited here, in all other cases it uses real length of
hash.

Milan

  parent reply	other threads:[~2011-07-10 18:17 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-07-10 16:29 [dm-crypt] MK Digest Size Jorge Fábregas
2011-07-10 16:59 ` Jorge Fábregas
2011-07-10 18:17 ` Milan Broz [this message]
2011-07-10 18:26   ` Jorge Fábregas

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4E19ECA0.6070508@redhat.com \
    --to=mbroz@redhat.com \
    --cc=dm-crypt@saout.de \
    --cc=jorge.fabregas@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.