Post AUld3Usi44p2LJs8fI by projectgus@aus.social
(DIR) More posts by projectgus@aus.social
(DIR) Post #AUlA6XXZjm82mv5MiO by mjg59@nondeterministic.computer
2023-04-18T00:28:42Z
1 likes, 9 repeats
If you installed a Linux system with disk encryption more than a couple of years ago, there's a decent chance it's using a weak key derivation function and someone who cares enough would be in a position to brute-force it. https://mjg59.dreamwidth.org/66429.html has more details and instructions on how to update to a better KDF.
(DIR) Post #AUlBoeo2BZQA18NuGO by f00fc7c8@kind.social
2023-04-18T00:48:00Z
0 likes, 0 repeats
@mjg59 hmmi wonder if my debian 12 install upgraded from a roughly year-old debian 11 is affected
(DIR) Post #AUlE3K3BpujNtgatwu by Anarcat@kolektiva.social
2023-04-18T01:13:13Z
0 likes, 0 repeats
@mjg59 i wonder if *any* current install (including Debian) has this setup right. this laptop has been setup in September 2022 with a Debian bookworm alpha installer, and it's still got PBKDF2... ouch.
(DIR) Post #AUlEEb2f0EdnmSiqfY by Anarcat@kolektiva.social
2023-04-18T01:15:14Z
0 likes, 0 repeats
@mjg59 and *actually* even running `sudo cryptsetup luksConvertKey /dev/whatever --pbkdf argon2id` on my system here doesn't change the Digests output in luksDump, what gives?
(DIR) Post #AUlEEbb2wO99V6oJGa by mjg59@nondeterministic.computer
2023-04-18T01:15:34Z
0 likes, 0 repeats
@Anarcat Ignore the digests field, that's not relevant
(DIR) Post #AUlEOqG5HbgVryt2Fk by tasket@infosec.exchange
2023-04-18T01:15:37Z
0 likes, 0 repeats
@mjg59 Good to raise this point.But the article assumes the encryption must have been broken. There are numerous other ways to get access to a computer's contents, ones which police heavily favor.
(DIR) Post #AUlEYNJjjwlh0S8nUu by Anarcat@kolektiva.social
2023-04-18T01:16:20Z
0 likes, 0 repeats
@mjg59 sigh, i read your post exactly the opposite of what it was supposed to mean, sorry :(
(DIR) Post #AUlEiWbY45kyhqJP5U by Anarcat@kolektiva.social
2023-04-18T01:12:27Z
0 likes, 0 repeats
@f00fc7c8 @mjg59 to figure out if you're affected, run this: `cryptsetup luksDump /dev/sda3 | grep -e Version` and ` cryptsetup luksDump /dev/sda3 | grep PBKDF`. unless that says "2" and "argon2id", you are affected
(DIR) Post #AUlEiXBhtegEVzEHRo by f00fc7c8@kind.social
2023-04-18T01:17:21Z
0 likes, 0 repeats
@Anarcat @mjg59 '2' and 'pbkdf2'. so I guess I am affected!
(DIR) Post #AUlEiXRewLRNJSh1JQ by Anarcat@kolektiva.social
2023-04-18T01:18:43Z
0 likes, 0 repeats
@f00fc7c8 note that a previous reply of mine stated that you need to grep for Digests, that's explicitly what @mjg59 tells you *not* to do. in general, don't listen to me and listen to him
(DIR) Post #AUlEiXgY2zLm3deuWG by mjg59@nondeterministic.computer
2023-04-18T01:18:51Z
0 likes, 0 repeats
@f00fc7c8 @Anarcat No, that's actually fine. Do sudo cryptsetup luksDump /dev/sda3 | grep PBKDF:and see what that gives you.
(DIR) Post #AUlEsGkdrVuuQxDC7M by f00fc7c8@kind.social
2023-04-18T01:21:25Z
0 likes, 0 repeats
@mjg59 @Anarcat PBKDF: argon2iyep.
(DIR) Post #AUlF1YkuIANUsZlXV2 by unixbhaskar@mastodon.social
2023-04-18T01:22:23Z
0 likes, 0 repeats
@mjg59 Thanks for writing!
(DIR) Post #AUlFCXShRTS63JU7AO by Anarcat@kolektiva.social
2023-04-18T01:21:40Z
0 likes, 0 repeats
@f00fc7c8 @mjg59 phew!
(DIR) Post #AUlFCY29JfoBpG4QQC by f00fc7c8@kind.social
2023-04-18T01:22:10Z
0 likes, 0 repeats
@Anarcat @mjg59 isn't it supposed to be argon2id?
(DIR) Post #AUlFCYj2kC7TyI8gHQ by mjg59@nondeterministic.computer
2023-04-18T01:23:28Z
0 likes, 0 repeats
@f00fc7c8 @Anarcat Yup. argon2i is better than PBKDF2, but doesn't attempt to be resistant to GPU-based attacks.
(DIR) Post #AUlFIs5DgZBTkIWPdA by gabriel@mastodon.samfira.com
2023-04-18T01:28:42Z
0 likes, 0 repeats
@mjg59 thanks for this!
(DIR) Post #AUlFOZpWSmy6s7tsJM by Anarcat@kolektiva.social
2023-04-18T01:27:28Z
0 likes, 0 repeats
@mjg59 i do wonder how one distribution (say Debian) is supposed to deal with this on upgrades... maybe we should add that to the release notes along with your procedure? i'm also considering doing such a procedure fleet-wide here... i can't help but think this is rather risky...
(DIR) Post #AUlFqDyfIui7CpMNWa by Zach777@fosstodon.org
2023-04-18T01:32:29Z
0 likes, 0 repeats
@mjg59 Great information. Boosting and replying so others see it.
(DIR) Post #AUlGcvhk1zbWisfVQW by bbhttt@fosstodon.org
2023-04-18T01:42:12Z
0 likes, 0 repeats
@mjg59 Upgraded mine last year and also deleted an extra unused keyslot. I was kinda worried that I'd bork the system, so I went through all the issues re luks2 first 😅 but in the end it was pretty painless.
(DIR) Post #AUlHwMZUSs21VOdi2i by ground024@freaknweekend.com
2023-04-18T01:55:57Z
0 likes, 0 repeats
@mjg59 Thanks for the information on LUKS keys. Extremely important especially for those using it as a cloud backup option.
(DIR) Post #AUlIP6KtuFC7YBWDho by 3v1n0@fosstodon.org
2023-04-18T02:01:57Z
0 likes, 0 repeats
@mjg59 @f00fc7c8 @Anarcat what kernel version requirements does aradon2id have?
(DIR) Post #AUlLVlbvf1KFA4Lz84 by mjg59@nondeterministic.computer
2023-04-18T02:36:34Z
0 likes, 0 repeats
@3v1n0 @f00fc7c8 @Anarcat none, that part is handled in userland
(DIR) Post #AUlOLw89zclikrQwim by f00fc7c8@kind.social
2023-04-18T03:08:40Z
0 likes, 0 repeats
@mjg59 @Anarcat done! Computer successfully boots with argon2id as the PBKDF.
(DIR) Post #AUlbED1iaYUSFE49Wy by maco@wandering.shop
2023-04-18T05:33:03Z
0 likes, 0 repeats
@mjg59 heck, my main concern about my encrypted Linux hard drives are:1. Figuring out which drive in the stack of hard drives we should do something about came from my laptop2. Whether a modern Ubuntu live CD or a VM on my laptop would still be able to decrypt it so I can pull off any data I failed to move 10 years ago…or do I need a 10 year old version of Ubuntu?
(DIR) Post #AUlc3kqCcyHnt1G5IW by c3manu@chaos.social
2023-04-18T05:41:39Z
0 likes, 0 repeats
@Anarcat @mjg59 I guess not having a result for 'PBKDF' at all is..not good, right? 😬
(DIR) Post #AUlc3lNsblDzZT0yn2 by mjg59@nondeterministic.computer
2023-04-18T05:42:23Z
0 likes, 0 repeats
@c3manu @Anarcat implies you're using V1, which is always PBKDF2
(DIR) Post #AUlcQWx6Qon7TJLX5U by c3manu@chaos.social
2023-04-18T05:45:07Z
0 likes, 0 repeats
@mjg59 @Anarcat Yes it is V1, I just thought it should have a PBKDF entry as well.
(DIR) Post #AUlcc40hrXVxBXX0TI by schlink@hachyderm.io
2023-04-18T05:48:13Z
0 likes, 0 repeats
@mjg59 whoa. As of last summer, I know Tails was using LUKS v1 for encrypted persistent storage. We should check if that's changed!
(DIR) Post #AUld3Usi44p2LJs8fI by projectgus@aus.social
2023-04-18T05:53:13Z
0 likes, 0 repeats
@mjg59 Do you think there's room for the low-level tools to also make it easier to improve the security, rather than relying on distros to pick it up each time? For example, maybe a "luksOpen --auto-upgrade" option that opportunistically upgrades the key slot's KDF at unlock time if there's a stronger algorithm available and an empty slot to swap it safely. Or is that kind of "cleverness" too risky?(I've been thinking about this recently in the context of binding LUKS keys in the TPM, something that AFAIK no distros have implemented. The lower level tools support it but they're pretty rustic, resulting in quite a few bad or misleading examples and howtos online.)
(DIR) Post #AUldwbSdIvHifwx3uy by mjg59@nondeterministic.computer
2023-04-18T06:03:24Z
0 likes, 0 repeats
@projectgus I proposed that a few years ago and upstream were unconvinced - they'd rather it's an explicit action, even if that's in the form of the tooling grabbing the password once and using it twice
(DIR) Post #AUlh75kDrfgbMCs7cW by dymaxion@infosec.exchange
2023-04-18T06:38:40Z
0 likes, 0 repeats
@mjg59Huh. This made me go look at the state of bitlocker, and it looks like that's stuck on low-round pbkdf with no config options. Need to look more closely when I'm actually awake, though
(DIR) Post #AUlhVxTBlcI2vulI9Y by Foxboron@chaos.social
2023-04-18T06:43:20Z
0 likes, 0 repeats
@mjg59 It's worth pointing out that people "replace" Secure Boot with an encrypted boot partition with Grub, which doesn't support argon2id, only PBKDF2.
(DIR) Post #AUlhrL7P2MkWMKlcI4 by mjg59@nondeterministic.computer
2023-04-18T06:47:18Z
0 likes, 0 repeats
@Foxboron cryptsetup has defaulted to at least argon2i since 2019, so the incompatibility here isn't novel.
(DIR) Post #AUll73fA0IbAiYkAAy by mjg59@nondeterministic.computer
2023-04-18T07:23:43Z
0 likes, 0 repeats
@marcan The number of PBKDF2 iterations depends on system benchmarking - on my i7-10510U I only get ~100000. Depending on the age of the system we could be looking at a default of 50k or less, which probably isn't enough to alter the calculations /that/ much. But we should also consider the possibility of dedicated hardware that could conceivably do better than a GPU, and maybe that adds an extra order of magnitude?
(DIR) Post #AUllG6QL6l4zt37kSe by mjg59@nondeterministic.computer
2023-04-18T07:25:35Z
0 likes, 0 repeats
@marcan But I'll also accept the argument that this case is simply not interesting enough to reveal that sort of capability? So yes, I agree that the likely scenarios are either a 20-character password that was actually pretty weak, or a password obtained through some other mechanism. Improving the KDF would provide protection in the former situation, but obviously wouldn't help the latter.
(DIR) Post #AUlm6XStoXoYoQKCIq by mjg59@nondeterministic.computer
2023-04-18T07:34:46Z
0 likes, 0 repeats
@marcan But given that updating the KDF is pretty straightforward, it seems worth just providing protection against one of those scenarios
(DIR) Post #AUlmFawkEw1aDRbSD2 by Rairii@haqueers.com
2023-04-18T07:36:10Z
0 likes, 0 repeats
@mjg59 i wonder if they found anything on the work computer (after dumping its bitlocker keytable as mentioned) that helped them attack the other one?
(DIR) Post #AUlmPDzCSdiPtwLLQ8 by dequbed@mastodon.chaosfield.at
2023-04-18T07:36:32Z
0 likes, 0 repeats
@mjg59 @marcan PBKDF#2 ASICs do exist and I would assume that a counter-terrorism unit of a police would have access to those. And yes, given that the round count depends on your CPU speed this could have been a very low one. But even so, brute forcing complex passwords is quite complicated, I would definitely presume some other attack vector first
(DIR) Post #AUloVsKXZhfEfkclFI by BenBen@chaos.social
2023-04-18T08:00:46Z
0 likes, 0 repeats
@mjg59 "better safe than sorry"@marcan
(DIR) Post #AUlplS4D5acRnzydaS by projectgus@aus.social
2023-04-18T08:15:49Z
0 likes, 0 repeats
@mjg59 Fair enough. I guess I can see where they are coming from, despite what's likely to be a worse overall security outcome.
(DIR) Post #AUlrrDqx34o1MreezA by Arios@meow.social
2023-04-18T08:38:33Z
0 likes, 0 repeats
@mjg59 Looks like systemd-cryptenroll always uses pbkdf2 when enrolling a tpm2-based key. Anyone know if there's a way to change the KDF (or whether this is even necessary in the case of a TPM2)?
(DIR) Post #AUls2XxGeOyStk0cIC by wagi@mastodon.social
2023-04-18T08:40:52Z
0 likes, 0 repeats
@mjg59 Thanks for the instruction. The backup was very useful... I was not able to convince grub to open my encrypted disk with the argon2id KDF (reinstalled grub etc). Converting it back to old KDF got my system back in working state. Well at least I have now luks2 :)
(DIR) Post #AUltU9slqSegIidTeK by mjg59@nondeterministic.computer
2023-04-18T08:56:32Z
0 likes, 0 repeats
@x_cli Yes, if humans are perfect, we don't need as much technology.
(DIR) Post #AUltbi8YsxMcZDchEm by mjg59@nondeterministic.computer
2023-04-18T08:57:30Z
0 likes, 0 repeats
@Arios Given the specific setup there I don't /think/ it matters - the KDF is fairly irrelevant if the input is high entropy to begin with, which passwords aren't guaranteed to be
(DIR) Post #AUlv6xehL32Tcy7UQq by dequbed@mastodon.chaosfield.at
2023-04-18T09:14:43Z
0 likes, 0 repeats
@marcan @taziden @mjg59 uh, 20 random characters is about 122 bits of randomness, even with 100k rounds (so 200k SHA-2 ops) that's *far* off being harder than brute-forcing guessing the very likey 256-bits volume key. And ASIC *are* orders of magnitude faster than GPUs at breaking PBKDF2
(DIR) Post #AUlv6yLEmt4Bku1Sjo by mjg59@nondeterministic.computer
2023-04-18T09:15:51Z
0 likes, 0 repeats
@dequbed @marcan @taziden LUKS typically defaults to 128 bit volume keys
(DIR) Post #AUlvd85a59LJFm27Ae by dequbed@mastodon.chaosfield.at
2023-04-18T09:21:33Z
0 likes, 0 repeats
@mjg59 @marcan @taziden I could have sword that the defaults were AES-CBC with 256 bits key for old cryptsetup, but I can't seem to find a source for that. But it seems that PBKDF2 using SHA-1 used to be the default too, which makes the whole calculation even worse. Definitely upgrade from that ^^
(DIR) Post #AUlxNLHFTs2vQm5fIe by mjg59@nondeterministic.computer
2023-04-18T09:41:08Z
0 likes, 0 repeats
@marcan @dequbed @taziden One of the homeworks I give is somewhat predicated on LUKS using aes-128, and none of my students have shown me evidence of it being aes-256 instead yet…
(DIR) Post #AUlxm0t2QfmNQkWvyq by dequbed@mastodon.chaosfield.at
2023-04-18T09:45:31Z
0 likes, 0 repeats
@mjg59 @marcan @taziden I mean it certainly *can* use AES with 256-bit keys. The question really is if it was using it and that depends on a lot of things. But in absolutely every case an upgrade to LUKS 2 and argon2id is advisable ^^
(DIR) Post #AUlzlsVrlKZ7Msks76 by OliverUv@mastodon.social
2023-04-18T10:07:39Z
0 likes, 0 repeats
@mjg59 Important note from the article! > Also, if you're using an encrypted /boot, stop now - very recent versions of grub2 support LUKS2, but they don't support argon2id, and this will render your system unbootable
(DIR) Post #AUm0RUOdojmEjbDX2u by puck@mastodon.nz
2023-04-18T10:15:10Z
0 likes, 0 repeats
@mjg59 @projectgus If they don't want to automagically fix, then at least displaying a warning after the drive is unlocked might be a handy thing!
(DIR) Post #AUm6gXuFeKexglZ7R2 by DrRac27@fosstodon.org
2023-04-18T11:24:47Z
0 likes, 0 repeats
@mjg59 it seems like I don't understand something here. I use argon2i and if I updrade to -d the GPUs can't use 16k threads anymore but 24. Why should I care? Thats less than 1000x, right? Isn't that neglectable compared to the incredible high number I have already? Like 1000×infinity=infinity?
(DIR) Post #AUm8Yhuyk4XmKbIOSO by chpietsch@digitalcourage.social
2023-04-18T11:46:06Z
0 likes, 0 repeats
@mjg59 Thank you for sounding the alert!I identified a minor issue with your otherwise nice explanation: According to my sources (man cryptsetup, #rfc9106), all #argon2 varieties are memory-hard. RFC 9106 is even titled “Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications”.However, given that there are known attacks against #argon2i, it seems wise to use #argon2id instead. It is also what is recommended in the RFC.As a #QubesOS user, I just checked the state of affairs there:The cryptsetup that comes with QubesOS 3.x still used #luks1, and those who did an in-place upgrade to 4.x still have that unless they converted to #luks2 manually (as detailed in the migration guide).The cryptsetup in QubesOS 4.x uses #luks2, but it still defaults to #argon2i unfortunately.
(DIR) Post #AUmG1dqndvQXnG5KmO by cr_mode@ioc.exchange
2023-04-18T13:09:45Z
0 likes, 0 repeats
@mjg59 I'd need some source for this - "argon2i not resistant to GPU-based attacks".I've read RFC 9160 where Argon is specified and argon2i has more memory passes, better against time-memory tradeoff attacks. More in https://datatracker.ietf.org/doc/html/rfc9106#name-security-considerations so I don't need to paste it here.LUKS2 setting with Argon2i and 1 GB memory seem like sufficient, but I don't have necessary GPUs to benchmark Argon2i vs Argon2id (like effect on caches).Authors suggest Argon2id for default generic environment.Though old PBKDF2 should be changed, definitely.
(DIR) Post #AUmJLfFwQW1zo55Gnw by Anarcat@kolektiva.social
2023-04-18T13:47:08Z
0 likes, 0 repeats
@mjg59 could you expand a bit on the actual possibility of cracking a PBKDF2 key derived 20-character password? last time i did that math, it would have taken something like more than 5 billion years for the bitcoin network to crack that... (math was https://gitlab.com/anarcat/crypto-bench/-/blob/master/benchpasswords.py)
(DIR) Post #AUmRi4xsK3nHXpph4a by frumble@chaos.social
2023-04-18T15:20:44Z
0 likes, 0 repeats
@schmittlauch ^^
(DIR) Post #AUmhY8hr9fZ3WIceTg by artemist@social.mildlyfunctional.gay
2023-04-18T18:17:24Z
0 likes, 0 repeats
@mjg59 @marcan @dequbed @taziden On my x86_64 NixOS system I just formatted a loop device with sudo cryptsetup luksFormat /dev/loop0 and no additional options. cryptsetup luksDump says that the cipher is aes-xts-plain64 with a 512 bit key, which the documentation suggests means AES256. I can't see any patches that change this in the repo.
(DIR) Post #AUmjGtJbKG3YlpBF7Q by cking@mastodon.world
2023-04-18T13:32:08Z
0 likes, 0 repeats
@marcan @mjg59 Agreed. A 20 character alphanumeric with symbols password has 123 bits of entropy. That should be extremely resilient (and 21 characters gives you 129 bits of entropy). So this really shouldn’t be cracked with brute force if randomly chosen. Even if the algorithm was MD5 rather than PBKDF2, it would have been secure
(DIR) Post #AUmjGtqZLgQaQ4bZVQ by mjg59@nondeterministic.computer
2023-04-18T18:37:43Z
0 likes, 0 repeats
@cking That's an extremely big "if"
(DIR) Post #AUmjViLUOOcX5o8E9Q by mjg59@nondeterministic.computer
2023-04-18T18:38:33Z
0 likes, 0 repeats
@Anarcat For a truly random 20 character password? The risk is extremely low. I have very little faith in people's ability to use truly random 20 character passwords.
(DIR) Post #AUmjqWJIKpMPqZ1gpM by envyniv@toot.community
2023-04-18T18:43:55Z
0 likes, 0 repeats
@mjg59 jokes on you i haven't set up disk encryption because i am a dumbass
(DIR) Post #AUmqCWdSPEB8x2Kii8 by whynothugo@fosstodon.org
2023-04-18T19:54:44Z
0 likes, 0 repeats
@mjg59 What are the risks of distributions trying to automate this on package update?
(DIR) Post #AUmqM2i8WGUP2P3muu by mjg59@nondeterministic.computer
2023-04-18T19:56:42Z
0 likes, 0 repeats
@f00fc7c8 @c3manu @Anarcat it's still memory expensive, so it's still significantly better than PBKDF2, but argon2id is the recommended one
(DIR) Post #AUmrPEaQvE0sh0Xi52 by mjg59@nondeterministic.computer
2023-04-18T20:08:49Z
0 likes, 0 repeats
@whynothugo Low, as long as /boot isn't encrypted
(DIR) Post #AUms7eZxe00w33VDhA by buxit@mastodon.online
2023-04-18T20:16:11Z
0 likes, 0 repeats
@mjg59 thank you for this very practical write up with clear instructions
(DIR) Post #AUmsIRZOLu4Ct1NiBk by cking@mastodon.world
2023-04-18T20:18:54Z
0 likes, 0 repeats
@mjg59 Yes. I set my password manager to 21 characters which gives about 129 bits of entropy (close to the 128 bit entropy I was looking for). But even 10 words of EFF's word list with 5 dice rolls gives 128-bit key protection.
(DIR) Post #AUmx31MnzY9F2vxYFU by alxndr@hachyderm.io
2023-04-18T21:11:50Z
0 likes, 0 repeats
@mjg59 Thanks! Would you recomment increasing any of the parameters (apparently iterations/memory/threads), or are the defaults ok?
(DIR) Post #AUmxCn8vjL7jpO81ku by alxndr@hachyderm.io
2023-04-18T21:12:16Z
0 likes, 0 repeats
@mjg59 Thanks! Would you recommend increasing any of the parameters (iterations/memory/threads), or are the defaults ok?
(DIR) Post #AUsdU0tT1iYNGLadd2 by suqdiq@chaos.social
2023-04-21T15:00:59Z
0 likes, 0 repeats
@mjg59 great news for this volume i forgot the password for
(DIR) Post #AWG1ABZKQbrBcIUJGa by blallo@fosstodon.org
2023-06-01T19:36:27Z
0 likes, 0 repeats
@mjg59 The fine folks at Tails took the time to evaluate your considerations with their threat model: https://gitlab.tails.boum.org/tails/tails/-/issues/19615#note_212033:tor: :tor: :tor:
(DIR) Post #AWG3wYC7oEKBb6pBKK by mjg59@nondeterministic.computer
2023-06-01T20:07:54Z
0 likes, 0 repeats
@blallo Nice!