[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v6 1/1] plainmount: Support plain encryption mode
|
From: |
Maxim Fomin |
|
Subject: |
Re: [PATCH v6 1/1] plainmount: Support plain encryption mode |
|
Date: |
Sat, 27 Aug 2022 20:50:30 +0000 |
------- Original Message -------
On Saturday, August 27th, 2022 at 5:05 PM, Glenn Washburn
<development@efficientek.com> wrote:
>
>
> On Sat, 27 Aug 2022 12:06:30 +0000
> Maxim Fomin maxim@fomin.one wrote:
>
> > Also, I am confused about maximum key data and password size allowed by
> > cryptomount.h. It
> > limits GRUB_CRYPTODISK_MAX_KEYLEN to 128, GRUB_CRYPTODISK_MAX_PASSPHRASE to
> > 256 and
> > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE to 8192. So, it looks like the passphrase
> > (before hashing)
> > is limited to 256 bytes, when it is hashed - it is limited to hash size,
> > which cannot be
> > larger than 128 bytes. Why then GRUB_CRYPTODISK_MAX_KEYFILE_SIZE is limited
> > to 8192 bytes
> > (or bits?)? Also, if password is not hashed (-h plain) then 129 byte
> > password becomes illegal,
> > because it is used directly as a key, which is limited to 128 bytes. Am I
> > correct?
>
>
> The max keyfile size 4096 bytes, and I believe that is the cryptsetup
> default compiled in maximum. Yes, an unhashed 129 byte password will be
> longer than the max key length, this is okay because it should just be
> truncated to keysize. Cryptsetup looks like it fails when the password
> using the plain hash is of length less than key size. If it is more
> than keysize, then its fine, it just copies up to keysize bytes.
>
> As far as keyfiles, plainmount is different than cryptomount, because
> keyfile data in plainmount is used as the encryption key, but in
> cryptomount its used as the password (ie the keyfile is hashed). I'm
> actually not sure if this conforms with cryptsetup, can you verify
> this? The documentation doesn't seem to specify.
>
Yes, it specified in man cryptsetup in this section:
NOTES
Passphrase processing for PLAIN mode
Note that no iterated hashing or salting is done in plain mode. If
hashing is done, it is a single direct hash. This means
that low-entropy passphrases are easy to attack in plain mode.
From a terminal: The passphrase is read until the first newline, i.e.
'\n'. The input without the newline character is
processed with the default hash or the hash specified with --hash. The
hash result will be truncated to the key size of the
used cipher, or the size specified with -s.
From stdin: Reading will continue until a newline (or until the maximum
input size is reached), with the trailing newline
stripped. The maximum input size is defined by the same compiled-in
default as for the maximum key file size and can be
overwritten using --keyfile-size option.
The data read will be hashed with the default hash or the hash specified
with --hash. The hash result will be truncated to
the key size of the used cipher, or the size specified with -s.
Note that if --key-file=- is used for reading the key from stdin,
trailing newlines are not stripped from the input.
If "plain" is used as argument to --hash, the input data will not be
hashed. Instead, it will be zero padded (if shorter than
the key size) or truncated (if longer than the key size) and used
directly as the binary key. This is useful for directly
specifying a binary key. No warning will be given if the amount of data
read from stdin is less than the key size.
From a key file: It will be truncated to the key size of the used cipher
or the size given by -s and directly used as a
binary key.
WARNING: The --hash argument is being ignored. The --hash option is
usable only for stdin input in plain mode.
If the key file is shorter than the key, cryptsetup will quit with an
error. The maximum input size is defined by the same
compiled-in default as for the maximum key file size and can be
overwritten using --keyfile-size option.
Btw, it says also about keydata being truncated.