A weak cryptoloop implementation in Linux?

Posted Jan 22, 2004 8:32 UTC (Thu) by error27 (subscriber, #8346) [Link]

This is a flaw, but it's not a back-door. "Back-door" implies malice and deliberate deceit. It's a bad word to use unless you want to offend someone.

The article explains salting, but the other part of the solution is in the "uniterated". Basically, you take the password and the salt and you hash them. Take that hash and hash it. Repeat the process as many times as you can in .2 seconds. Save the salt and the number of times you hashed the password and salt so you can check the password later.

If you use a 128 bit salt the attacker can't use a dictionary attack directly, but he can still test thousands of possible passwords in a second. With the extra hash iterations the attacker can only test 5 possible passwords in a second.

Posted Jan 22, 2004 11:00 UTC (Thu) by ekj (guest, #1524) [Link]

Secondly, this does nothing at all for the attacker who wants to crack a single encrypted filesystem. It <b>is</b> true that because of the lack of salt, an attacker who wants to crack a large number of encrypted filesystems has an advantage as he can calculate the encrypted version of the "likely" passwords only once instead of once for each filesystem as would be required with a salt.<p>

However, this ain't *that* horrible a vulnerability. First, it only helps by a factor of how many encrypted filesystems (of the same type) you want to crack. Secondly, it only helps for those passwords that are simple enough that they'll appear in a list of "likely" passwords. With current storage it's not reasonable to create dictionaries much larger than a terabyte. So, loosely, if your password is not among the most common billion passwords, you're in the clear. Choosing a good password is required for security anyways.<p>

All this means is, if you need real security, choose a password with more than 40 bits of real entropy in it, or a dictionary like this could be constructed and help crack it. Dictionaries with much more than 2^40 entries are unlikely to be practical at the moment. <p>

Offcourse 2^40 possible keys kan reasonably be brute-forced even without a dictionary as a one-off crack. So to guard against this you'd want a better password than this anyway.<p>

It's true that the set of passwords that can a) Be reasonably memorized and b) cannot reasonably be brute-forced is rapidly approaching zero. But that's a fundamental problem and has nothing in particular to do with the crypto-loop implementation.

Posted Jan 22, 2004 13:26 UTC (Thu) by macc (subscriber, #510) [Link]

Posted Jan 22, 2004 20:32 UTC (Thu) by oak (guest, #2786) [Link]

That should be pretty easy to implement...

Posted Jan 23, 2004 11:27 UTC (Fri) by paulsheer (guest, #3925) [Link]

/sbin/losetup -e AES128 /dev/loop0 FILE
Password: xxxx
Error: Password string must be at least 20 characters.

20 ascii characters is a 130 bit key.
if they are lower case only, and composed of whole
words (and, say, there are 10000 words to choose from)
then we have (10000^5) ~= 66 bits.

- this is a worst case, but long enough to be secure IMO.

My question is: was the loopback device ever MEANT to
be secure against a chosen plaintext attack? Surely not.
I believe it should be dead obvious to users
that a long key is essential because there is
no protocol protection.

Further the other vulnerabilities should
also be obvious: key snooping + memory snooping
during setup, etc. these are all *obvious* attacks that
the user ought to be aware of. Also you can't really be
protected against such attacks within the scope of what
such software is trying to provide.

the loopback device is possibly the best way of securing
your data because its simple and clean and basically as
as secure the block cipher you are using.

-paul

Posted Jan 23, 2004 16:21 UTC (Fri) by spudbeach (guest, #5837) [Link]

Oh, and should anybody not trust Juri, note that he has been the big guy in the loop-AES project for a couple of years, doing loop mounted crypto outside of the kernel. Yes, he does know what he's doing. And yes, I'm sticking with loop-AES, for at least a couple of years. [And BTW: loop-AES is by design free from this attack: rather than using a passphrase directly, a true random key is used, which is then encrypted with a passphrase -- hence, one more step between the passphrase and known plaintext.]

Steve Beach
GPG key ID 7675D05E

Posted Jan 30, 2004 20:57 UTC (Fri) by jmason (guest, #13586) [Link]

A good implementation, actually, would be to reserve a few bytes at the start of every block for a per-block salt value; along with a per-volume salt, that should cause quite a bit of difficulty for prospective attackers. ;)

But I definitely would agree with other posters, and not call this issue a "back door".

Posted Mar 23, 2004 2:53 UTC (Tue) by sproket (guest, #20386) [Link]

Posted Jun 20, 2004 19:23 UTC (Sun) by nj (guest, #22465) [Link]

The procedure:
Create and store a segment of random data equal in size to the data being encrypted.
XOR the user data with stored random data.
Encrypt both the random segment and the user data with conventional block cipher methods.

Since the user data was XORed with randomness, reminiscent of OTP, this would prevent usage of a precomputed dictionary against known plain text.

Posted Sep 13, 2004 13:38 UTC (Mon) by schander (guest, #24686) [Link]

In any event, there are very simple existing userland fixes that make cryptoloop invulnerable to this kind of dictionary attack:

1) The simplest method involves the use of true cryptographically-random strings (from /dev/random, for example) as the first-level passphrase; encrypt them with a hashed, second-level salted passphrase as the key, and store the encrypted first-level passphrase with the salt. To setup the cryptoloop, just decrypt the encrypted first-level passphrase and use it.

(This is the approach that is taken by both pam_mount, as well as pam_losetup from my project, qryptix. In both cases, the main goal is to use the standard Linux login password (even with insufficient entropy) as the second-level passphrase. But the lack of entropy in the second-level passphrase is compensated for by salting and hashing it, and using it to encrypt a truly-random first-level passphrase. Any dictionary attacks on the second-level passphrase cannot be precomputed, because of the salt. Computing it on the fly will require calculating the hash, which is designed to be very slow.)

It also helped that util-linux-2.11 had another layer of ripemd160 hashing on the passphrase supplied to it, allowing for further whitening (just in case the entropy in /dev/random was inadequate).

2) Cryptoloop is also modular - this also us to iterate it two or more times with independent first-level keys, effectively multiplying the length of the key by the number of iterations. This is also easily supported in userland; qryptix, for instance, supports the use of multiple-iterated cryptoloops fairly trivially (e.g. /dev/hda9<->/dev/loop0<->/dev/loop1...).

With either of these two existing precautions, dictionary-based known-plaintext attacks on the filesystem, of the kind that Jari Ruusu describes, are a complete non-starter.

I fervently hope that Andrew Morton doesn't drop cryptoloop support in 2.6 because of this FUD. Cryptoloop just works, simply and reliably. I haven't ever lost a single bit of data using HVR's 2.4 kerneli patches.