[Bug 448918] Re: Insecure Cryptsetup defualts

ubuntu-crypto davexthc at gmail.com
Sun Oct 11 19:54:03 UTC 2009 

** Tags added: weak

** Description changed:

  Binary package hint: cryptsetup
  
- The current version of cryptsetup only supports SHA1 for hashing passwords, this is very insecure cryptsetup 1.1.10rc2 fixes this problem. ( http://code.google.com/p/cryptsetup/downloads/list ) I know it is a Release Candidate, however I have thoroughly tested it, it is fully backwards-compatible, and has no bugs that i was able to detect, i even hacked at the LUKS header to see if it was *really * hashing the password with SHA512 (also tested with Whirlpool ans SHA256). Also the cbc-essiv mode is considered insecure compared to the new XTS mode, however I have seen no attacks on ESSIV. The new cryptsetup also adds an interesting feature: luksSuspend, it suspends active device (all IO operations are frozen) and wipes encryption key from kernel. Kernel  version 2.6.19 or later is required. This is very useful for suspending and hibernating a system ,especially a laptop so there is no risk of cold-boot. Anyway for cryptsetup I recommend these options (after a mailstorm with its developers , the Linux crypto mailing archive, chat in ##crypto, white papers, contact with the XTS kernel module developer, and even brief contact with Bruce Schneier. For cryptsetup 1.0.7 : cryptsetup -y  -i 15 -s 512 -h ripemd160 -c  aes-xts-benbi luksFormat /dev/sda5 [xts-benbi is the proper way to use XTS according to the developer of the module]  With cryptsetup 1.1.0rc2+ : cryptsetup -y  -i 15 -s 512 -h sha512 -c  aes-xts-benbi luksFormat /dev/sda5
+ The current version of cryptsetup only supports SHA1 for hashing passwords, this is very weak, cryptsetup 1.1.10rc2 fixes this problem. ( http://code.google.com/p/cryptsetup/downloads/list ) I know it is a Release Candidate, however I have thoroughly tested it, it is fully backwards-compatible, and has no bugs that i was able to detect, I even hacked at the LUKS header to see if it was *really * hashing the password with SHA512 (also tested with Whirlpool ans SHA256). Also the cbc-essiv mode is considered insecure compared to the new XTS mode, however I have seen no attacks on ESSIV. The new cryptsetup also adds an interesting feature: luksSuspend, it suspends active device (all IO operations are frozen) and wipes encryption key from kernel. Kernel  version 2.6.19 or later is required. This is very useful for suspending and hibernating a system ,especially a laptop so there is no risk of cold-boot. Anyway for cryptsetup I recommend these options (after a mailstorm with its developers , the Linux crypto mailing archive, chat in ##crypto, white papers, contact with the XTS kernel module developer, and even brief contact with Bruce Schneier. For cryptsetup 1.0.7 : cryptsetup -y  -i 15 -s 512 -h ripemd160 -c  aes-xts-benbi luksFormat /dev/sda5 [xts-benbi is the proper way to use XTS according to the developer of the module]  With cryptsetup 1.1.0rc2+ : cryptsetup -y  -i 15 -s 512 -h sha512 -c  aes-xts-benbi luksFormat /dev/sda5
  Explanation : "-i 15" The  number  of  milliseconds to spend with PBKDF2 password processing.  Increasing the time will lead to a  more  secure  password,  but also will take luksOpen longer to complete. This will help with weak passwords, the bigger the -i value the more  computing power it takes to use a brute-force attack.
  
  Additional notes: Where is the option to fill the encrypted LVM with
  /dev/urandom when done? This is critical ! Also a "zero" option to zero
  the disk before encrypting it, to get red of the sensitive data would be
  nice. (After all, what use is encryption when the files can be recovered
  by any scriptkiddie?)
  
  SHA1 is very easy to break, it was broken in 2005, and the attack
  weakens it to the point where it is 2,000 times less secure. That is a
  very serious break, and it has most likely been improved on since 2005.
  Ripemd160 is the other option,  while it is only 160 bits, it is secure
  to this date so it should suffice, and given it is the only other
  alternative to SHA1 in versions of cryptsetup under 1.1.0rc1 it is
  clearly the best choice (if using cryptsetup 1.1+ Whirlpool[512]. SHA256
  , or SHA512 are much better).
+ 
  http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
  
  http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

-- 
Insecure Cryptsetup defualts
https://bugs.launchpad.net/bugs/448918
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

More information about the universe-bugs mailing list