cryptsetup LUKS: Too low iteration count: only 14

cryptsetup LUKS: Too low iteration count: only 14

[doffloster]

[-- Attachment #1: Type: text/plain, Size: 609 bytes --]

Hi all,

I was playing around with LUKS extension in cryptsetup and noticed
that the iteration count was 14 in my case.
The iteration time that I chose (arbitrarily) is 4123ms which is above
4 seconds!
So I was astonished to see an iteration count which is very low.
As far as I know, using a modern computer, the iteration count should
be above 100k.

Please see the attached log for the details - it contains two
operations: luksFormat and luksDump.

In the log, notice the following line:
> # Benchmark returns argon2id() 14 iterations, 1048576 memory, 4 threads (for 512-bits key).


Best regards,
David.

[-- Attachment #2: log.txt --]
[-- Type: text/plain, Size: 5580 bytes --]


# cryptsetup 2.4.3 processing "cryptsetup --verbose --debug --hash sha512 --key-size 512 --type=luks2 --iter-time=4123 --key-file /path/to/keyfile --key-slot 4 luksFormat /dev/sda1"
# Running command luksFormat.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/sda1.
# Trying to open and read device /dev/sda1 with direct-io.
# Initialising device-mapper backend library.
# File descriptor passphrase entry requested.
# Crypto backend (OpenSSL 3.0.2 15 Mar 2022 [default][legacy]) initialized in cryptsetup library version 2.4.3.
# Detected kernel Linux 5.15.0-25-generic x86_64.
# PBKDF argon2id, time_ms 4123 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
# Formatting device /dev/sda1 as type LUKS2.
# Auto-detected optimal encryption sector size for device /dev/sda1 is 512 bytes.
# Topology: IO (512/0), offset = 0; Required alignment is 1048576 bytes.
# Checking if cipher aes-xts-plain64 is usable.
# Using userspace crypto wrapper to access keyslot area.
# Formatting LUKS2 with JSON metadata area 12288 bytes and keyslots area 16744448 bytes.
# Creating new digest 0 (pbkdf2).
# Setting PBKDF2 type key digest 0.
# Running pbkdf2(sha512) benchmark.
# PBKDF benchmark: memory cost = 0, iterations = 1260307, threads = 0 (took 26 ms)
# PBKDF benchmark: memory cost = 0, iterations = 1297742, threads = 0 (took 404 ms)
# PBKDF benchmark: memory cost = 0, iterations = 1288176, threads = 0 (took 814 ms)
# Benchmark returns pbkdf2(sha512) 1288176 iterations, 0 memory, 0 threads (for 512-bits key).
# Segment 0 assigned to digest 0.
# Wiping LUKS areas (0x000000 - 0x1000000) with zeroes.
# Wiping keyslots area (0x008000 - 0x1000000) with random data.
# Reusing open rw fd on device /dev/sda1
# Device size 256354795008, offset 16777216.
# Acquiring write lock for device /dev/sda1.
# Opening lock resource file /run/cryptsetup/L_8:1
# Verifying lock handle for /dev/sda1.
# Device /dev/sda1 WRITE lock taken.
# Trying to write LUKS2 header (16384 bytes) at offset 0.
# Reusing open rw fd on device /dev/sda1
# Checksum:1282e43e17308089e5f8e49399bf3c7823955afd160d32fe2ba453b894e8e14c (in-memory)
# Trying to write LUKS2 header (16384 bytes) at offset 16384.
# Reusing open rw fd on device /dev/sda1
# Checksum:a85bba72121e5fd798ac37ce54a227c695bd956051eebfefce72c4444e3dd07a (in-memory)
# Device /dev/sda1 WRITE lock released.
# Adding new keyslot 4 using volume key.
# Adding new keyslot 4 with volume key assigned to a crypt segment.
# Selected keyslot 4.
# Keyslot 4 assigned to digest 0.
# Trying to allocate LUKS2 keyslot 4.
# Found area 32768 -> 290816
# Running argon2id() benchmark.
# PBKDF benchmark: memory cost = 65536, iterations = 4, threads = 4 (took 76 ms)
# PBKDF benchmark: memory cost = 215578, iterations = 4, threads = 4 (took 231 ms)
# PBKDF benchmark: memory cost = 233309, iterations = 4, threads = 4 (took 252 ms)
# PBKDF benchmark: memory cost = 1048576, iterations = 14, threads = 4 (took 4207 ms)
# Benchmark returns argon2id() 14 iterations, 1048576 memory, 4 threads (for 512-bits key).
# Calculating attributes for LUKS2 keyslot 4.
# Acquiring write lock for device /dev/sda1.
# Opening lock resource file /run/cryptsetup/L_8:1
# Verifying lock handle for /dev/sda1.
# Device /dev/sda1 WRITE lock taken.
# Checking context sequence id matches value stored on disk.
# Reusing open ro fd on device /dev/sda1
# Running keyslot key derivation.
# Updating keyslot area [0x8000].
# Reusing open rw fd on device /dev/sda1
# Device size 256354795008, offset 16777216.
# Device /dev/sda1 WRITE lock already held.
# Trying to write LUKS2 header (16384 bytes) at offset 0.
# Reusing open rw fd on device /dev/sda1
# Checksum:d09f881d2bb16c18d9cb7f81cdd336c5ce1a8238bb30a226bc143f5c17a11a8e (in-memory)
# Trying to write LUKS2 header (16384 bytes) at offset 16384.
# Reusing open rw fd on device /dev/sda1
# Checksum:16a865ad38430ce39a1132ffa341770b7693c13737be052f393a4ecd5119d062 (in-memory)
# Device /dev/sda1 WRITE lock released.
Key slot 4 created.
# Releasing crypt device /dev/sda1 context.
# Releasing device-mapper backend.
# Closing read only fd for /dev/sda1.
# Closing read write fd for /dev/sda1.
# Unlocking memory.
Command successful.





Dumping header information on LUKS device "/dev/sda1":
LUKS header information
Version:       	2
Epoch:         	3
Metadata area: 	16384 [bytes]
Keyslots area: 	16744448 [bytes]
UUID:          	ecf39d5e-6ad0-459d-8f16-26a534d3ddd8
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)

Data segments:
  0: crypt
	offset: 16777216 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]

Keyslots:
  4: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2id
	Time cost:  14
	Memory:     1048576
	Threads:    4
	Salt:       6d 36 02 3f e1 f2 a1 94 d9 ee c5 75 a2 79 73 e0 
	            fd d8 b0 1a af 2d 04 e7 3c 2e c0 d6 fd e9 1e bf 
	AF stripes: 4000
	AF hash:    sha512
	Area offset:32768 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
	Hash:       sha512
	Iterations: 161022
	Salt:       72 b2 9f 45 2d 43 68 1d d0 91 23 c1 63 72 3c 5e 
	            78 9f 38 a6 cb b9 de 07 8c 01 36 b3 a2 3b 3f 51 
	Digest:     aa 4c 5d 9d de c9 f6 45 cc 9e 40 b5 a5 ba 5a 5e 
	            6a 0b ff da 0e 37 00 02 b2 42 5d 21 56 90 48 a8 
	            b3 71 d9 88 69 90 98 df 09 73 11 01 02 f3 ba 9e 
	            18 7e 48 49 0f ea 9a f9 4c 86 74 8e 48 6f 20 3c 

Re: cryptsetup LUKS: Too low iteration count: only 14

[Milan Broz]

On 13/08/2022 17:50, doffloster@gmail.com wrote:
> Hi all,
> 
> I was playing around with LUKS extension in cryptsetup and noticed
> that the iteration count was 14 in my case.
> The iteration time that I chose (arbitrarily) is 4123ms which is above
> 4 seconds!
> So I was astonished to see an iteration count which is very low.
> As far as I know, using a modern computer, the iteration count should
> be above 100k.

Please do not confuse iteration for PBKDF2 (default in LUKS1) and memory-hard Argon2 KDF.

These are completely different algorithms, you cannot compare iteration costs here.

If you set 100k iteration with 1G memory cost for Argon2, you will get
unlocking time that is perhaps in years... :-)

m.

Re: cryptsetup LUKS: Too low iteration count: only 14

[Michael Kjörling]

On 13 Aug 2022 18:11 +0200, from gmazyland@gmail.com (Milan Broz):
>> the iteration count was 14 in my case.
>> The iteration time that I chose (arbitrarily) is 4123ms which is above
>> 4 seconds!
> 
> Please do not confuse iteration for PBKDF2 (default in LUKS1) and memory-hard Argon2 KDF.
> 
> These are completely different algorithms, you cannot compare iteration costs here.

14 iterations in 4123 ms is also about 300 ms per iteration, which
would not be at all unreasonable for password hashing. Compare [1]
which provides sample output from running the Argon2i reference
implementation for two iterations in 188 ms (with four parallell
threads) on unspecified hardware; the order of magnitude is certainly
about right.

[1] https://github.com/P-H-C/phc-winner-argon2/blob/master/README.md#command-line-utility

-- 
Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se
 “Remember when, on the Internet, nobody cared that you were a dog?”

Re: cryptsetup LUKS: Too low iteration count: only 14

[Arno Wagner]

On Sat, Aug 13, 2022 at 18:11:48 CEST, Milan Broz wrote:
> On 13/08/2022 17:50, doffloster@gmail.com wrote:
> > Hi all,
> > 
> > I was playing around with LUKS extension in cryptsetup and noticed
> > that the iteration count was 14 in my case.
> > The iteration time that I chose (arbitrarily) is 4123ms which is above
> > 4 seconds!
> > So I was astonished to see an iteration count which is very low.
> > As far as I know, using a modern computer, the iteration count should
> > be above 100k.
> 
> Please do not confuse iteration for PBKDF2 (default in LUKS1) and
> memory-hard Argon2 KDF.
> 
> These are completely different algorithms, you cannot compare iteration
> costs here.
> 
> If you set 100k iteration with 1G memory cost for Argon2, you will get
> unlocking time that is perhaps in years... :-)

Argon2 operates on a completely different iteration scale than
PBKDF2 by a factor of 100'000 or so. 

A look into the documentation may help. If I remember correctly
the recommended minimal iteration count for Argon2 is 4.

Regards,
Arno

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: cryptsetup LUKS: Too low iteration count: only 14

[Michael Kjörling]

On 13 Aug 2022 18:11 +0200, from gmazyland@gmail.com (Milan Broz):
>> that the iteration count was 14 in my case.
>> The iteration time that I chose (arbitrarily) is 4123ms
> 
> If you set 100k iteration with 1G memory cost for Argon2, you will get
> unlocking time that is perhaps in years... :-)

Out of curiosity, how did you arrive at the "years" order of
magnitude? Is there an exponential component involved somewhere when
increasing the iteration count?

Naiively, OP's stated 14 iterations in 4123 ms is about 295 ms per
iteration (let's call it a nice and round 300 ms); 300 ms times 100K
is 30M ms = 30K s, or some eight hours. Certainly a good long while to
wait, but still a very far cry from even one year.

To get to a year at that performance, I'd expect an iteration count on
the order of 100M, not 100K, to be needed. (8 hours is about 1/1100 of
one year.)

-- 
Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se
 “Remember when, on the Internet, nobody cared that you were a dog?”

Re: cryptsetup LUKS: Too low iteration count: only 14

[Milan Broz]

On 13/08/2022 21:35, Michael Kjörling wrote:
> On 13 Aug 2022 18:11 +0200, from gmazyland@gmail.com (Milan Broz):
>>> that the iteration count was 14 in my case.
>>> The iteration time that I chose (arbitrarily) is 4123ms
>>
>> If you set 100k iteration with 1G memory cost for Argon2, you will get
>> unlocking time that is perhaps in years... :-)
> 
> Out of curiosity, how did you arrive at the "years" order of
> magnitude? Is there an exponential component involved somewhere when
> increasing the iteration count?

Ah, my bad, sorry.
It was more a rhetoric note (I meant: it will take very long time.)

It expects that the memory cost is the same, though.
Once you will increase memory, it influences iteration time too.
Cryptsetup KDF benchmark tries to increase memory, then iterations,
but here it hits the 1G limit already.

Sorry for the confusion, I should be more exact :)
Milan