[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/5] Support Argon2 KDF in LUKS2
|
From: |
Milan Broz |
|
Subject: |
Re: [PATCH 0/5] Support Argon2 KDF in LUKS2 |
|
Date: |
Wed, 12 Feb 2020 08:18:32 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2 |
On 11/02/2020 22:53, Daniel Kiper wrote:
> Adding Milan, Leif, Alex, Peter, Mathew and Vladimir.
>
> On Thu, Feb 06, 2020 at 03:27:28PM +0100, Patrick Steinhardt wrote:
>> Hi,
>>
>> as promised back when LUKS2 support was merged, here's the code that
>> enables decrypting LUKS2 partitions that use Argon2 as their key derival
>> function. Most of this is simple legwork, but I expect two things to be
>> potentially controversial:
>>
>> - I've changed how EFI allocates memory. On my test systems, I was
>> only able to allocate roughly 800MB, which isn't enough for the
>> default of 1GB memory parameter that cryptsetup uses with Argon2.
>> Instead of taking a quarter of available memory, we now take half
>> of it, which amounts to ~1.6GB on 32 bit systems.
>
> That is huge for the bootloader. What about systems with less than 3 GiB of
> RAM?
> Could we reduce amount of RAM required by Argon2?
No, this is the principle of memory-hard function :)
The primary reason is to increase attacker cost for dictionary attacks.
Anyway, there are some limits in cryptsetup - we try to never use
more than half of physical memory and maximum is hard-compiled to 4GiB.
(But physical memory limit applies when formatting device, then
is stored in the LUKS2 keyslot header. So if you format it on device with
much larger RAM and it is later not available, it fails to open.
It is more complicated though - we have benchmark during format that prioritize
unlocking time, so PBKDF memory is usually decreased on low-memory systems
anyway.)
>
>> - The import of Argon2 itself. I've imported code from the
>> cryptsetup project, but I've modified it quite a bit to fit into
>
> Milan mentioned something about libgcrypt. Milan, when the Argon2 code
> may land in libgcrypt?
Once we have volunteer to implement it / port it to gcrypt :-)
BTW if you have embedded Argon2 code, you should also add some test vectors
to your testsuite.
(You can use these we have in cryptsetup - see tests/crypto-vectors.c)
Milan
- Re: [PATCH 3/5] disk: luks2: Add missing newline to debug message, (continued)
- [PATCH 1/5] efi: Allocate half of available memory by default, Patrick Steinhardt, 2020/02/06
- [PATCH 4/5] disk: luks2: Discern Argon2i and Argon2id, Patrick Steinhardt, 2020/02/06
- [PATCH 2/5] argon2: Import Argon2 from cryptsetup, Patrick Steinhardt, 2020/02/06
- [PATCH 5/5] disk: luks2: Support key derival via Argon2, Patrick Steinhardt, 2020/02/06
- Re: [PATCH 0/5] Support Argon2 KDF in LUKS2, Daniel Kiper, 2020/02/11
- [PATCH v2 0/6] Support Argon2 KDF in LUKS2, Patrick Steinhardt, 2020/02/20