dm-crypt.saout.de archive mirror
 help / color / mirror / Atom feed
* [dm-crypt] LUKS passphrase question
@ 2020-07-09 20:35 adam peterson
  2020-07-11 11:37 ` Michael Kjörling
  0 siblings, 1 reply; 2+ messages in thread
From: adam peterson @ 2020-07-09 20:35 UTC (permalink / raw)
  To: dm-crypt

[-- Attachment #1: Type: text/plain, Size: 392 bytes --]

Hello dm-crypt and LUKS team,

I have a simple question regarding a sentence I found on the Fedora wiki in their encryption section. Here's a the quote, "LUKS does provide passphrase strengthening but it is still a good idea to choose a good (meaning "difficult to guess") passphrase."

What is meant by passphrase strengthening exactly and how is it accomplished?

Thank you,
- Adam Peterson

[-- Attachment #2: Type: text/html, Size: 909 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [dm-crypt] LUKS passphrase question
  2020-07-09 20:35 [dm-crypt] LUKS passphrase question adam peterson
@ 2020-07-11 11:37 ` Michael Kjörling
  0 siblings, 0 replies; 2+ messages in thread
From: Michael Kjörling @ 2020-07-11 11:37 UTC (permalink / raw)
  To: dm-crypt

On 9 Jul 2020 15:35 -0500, from adamjp@mailbox.org (adam peterson):
> What is meant by passphrase strengthening exactly and how is it
> accomplished?

LUKS doesn't actually "strengthen the passphrase" per se. LUKS uses
the passphrase given to it by the user.

What's done is that the passphrase provided by the user is hashed, and
then the hash is hashed, and then that hash is hashed, and so on, for
a large number of iterations (normally somewhere in the range of low
hundreds of thousands to low millions of iterations; the exact value
depends on the performance of the system where the passphrase was set
and the iteration time selected at that time). The "passphrase" value
that actually gets used is the final output hash from this series of
hashing operations.

At least for LUKS 1, this is the number shown by "cryptsetup luksDump"
under "key slot" -> "iterations".

This means that even though a single hash iteration is quite fast, an
attacker has to run the hash function a large number of times for each
candidate passphrase that they want to check, thereby greatly slowing
down an attack on the passphrase itself. The effective increase in
difficulty of an attack on the passphrase becomes approximately
log2(n) bits, for an interation count of _n_.

For example, if the passphrase iteration count is 500000, this adds a
work factor of approximately 19 bits on top of the actual strength of
the passphrase. For a 18-character [a-zA-Z0-9] passphrase selected
entirely at random, that's the difference between a work factor of
about 2^107 and about 2^126. (The latter being just about what AES-128
with a well-selected random key gets you against current publicly
known attacks.) Similarly, an eminently memorable, properly generated
six-word Diceware passphrase gives you a work factor on its own of
about 2^76, which might be within reach for a determined attacker;
with the same 500000 iterations, about 2^95, which is considerably
harder.

None of this excuses you from selecting a good passphrase, but it
_does_ mean that using a less than perfect passphrase isn't as bad as
it would otherwise be.

-- 
Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se
 “Remember when, on the Internet, nobody cared that you were a dog?”

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2020-07-11 11:37 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-09 20:35 [dm-crypt] LUKS passphrase question adam peterson
2020-07-11 11:37 ` Michael Kjörling

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).