[Bug 1275380] [NEW] Cryptsetup still using SHA-1 as default hash for Debian Installer

asi 1275380 at bugs.launchpad.net
Sun Feb 2 07:37:47 UTC 2014 

On 02/02/2014 03:20 AM, Brian Knoll wrote:
> Public bug reported:
> 
> The SHA-1 hash has been, for years now, considered undesirable for new
> installations.  In Trusty, a new install using LUKS results in an
> installation using SHA-1 hashing, as can be demonstrated by using the
> following command:
> 
> cryptsetup luksDump <encrypted partition>
> 
> Please consider compiling the "cryptsetup" package to use a stronger
> default hash, perhaps SHA-256 or even SHA-512.
> 
> I think the option "--with-luks1-hash=sha256", for instance, should give
> us a SHA-256 default hash, which would be significantly more secure than
> our current default in Ubuntu.

No, it will not be "significantly more secure". You have to study how
is hash used in LUKS header before stating this.

Please read at least section 5.20 in FAQ
http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions

Milan

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1275380

Title:
  Cryptsetup still using SHA-1 as default hash for Debian Installer

Status in “cryptsetup” package in Ubuntu:
  New

Bug description:
  The SHA-1 hash has been, for years now, considered undesirable for new
  installations.  In Trusty, a new install using LUKS results in an
  installation using SHA-1 hashing, as can be demonstrated by using the
  following command:

  cryptsetup luksDump <encrypted partition>

  Please consider compiling the "cryptsetup" package to use a stronger
  default hash, perhaps SHA-256 or even SHA-512.

  I think the option "--with-luks1-hash=sha256", for instance, should
  give us a SHA-256 default hash, which would be significantly more
  secure than our current default in Ubuntu.

  Thank you,
  Brian

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: cryptsetup 2:1.6.1-1ubuntu1
  ProcVersionSignature: Ubuntu 3.13.0-5.20-generic 3.13.0
  Uname: Linux 3.13.0-5-generic x86_64
  ApportVersion: 2.13.1-0ubuntu1
  Architecture: amd64
  Date: Sat Feb  1 21:04:28 2014
  InstallationDate: Installed on 2014-02-01 (0 days ago)
  InstallationMedia: Xubuntu 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140121.1)
  ProcEnviron:
   TERM=linux
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: cryptsetup
  UpgradeStatus: No upgrade log present (probably fresh install)
  crypttab: vda5_crypt UUID=d2509a89-e711-4419-93e2-37a71941d6b8 none luks

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1275380/+subscriptions

More information about the foundations-bugs mailing list