Using iter-time doesn't give the desired timeout and security
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| cryptsetup |
New
|
Undecided
|
Unassigned | ||
| cryptsetup (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
I have formatted using cryptsetup with option iter-time for use longer timeout than the default 2000ms. When I write 60000 I get 18 seconds and 10000 is 2 seconds. Something is terrible wrong.
To get a timeout closer to what I want I wrote this script, which is an except:
benchmarkiter
cryptsetup -q --key-file ${keyfileluks} luksFormat -i $(($cryptsetupt
timerstart=$(date +%s.%N)
cryptsetup -q --key-file ${keyfileluks} luksOpen $loopluks ${uuidluks}
timerend=$(date +%s.%N)
cryptsetup -q luksClose ${uuidluks}
timerdiff=$(bc -l <<< "($timerend-
timerfactor=$(bc -l <<< "$cryptsetuptim
timeoutnew=$(bc -l <<< "scale=0; ($cryptsetuptim
cryptsetup -q --key-file ${keyfileluks} luksFormat -i $timeoutnew -c aes -s 256 -h sha256 --uuid=${uuidluks} --use-random $loopluks
iterations=
iterationsper
if [ "$iterationsper
echo "Error too few iterations: $iterationspermsec"
exit 1
fi
First I benchmark the computer with rounds per second and then test the desired timeout. Then I compare the benchmark with the rounds per seconds got while testing and then calculates a new approximate value. Then I finally format the device. This gives better values.
At lines around 700 in keymanage.c master key digest is set to the 1/8 of the expected value:
/* Compute master key digest */
iteration_time_ms /= 8;
header-
At lines around 800 in keymanage.c about half of the timeout goes away:
/*
* Avoid floating point operation
* Final iteration count is at least LUKS_SLOT_
*/
PBKDF2_temp = (*PBKDF2_per_sec / 2) * (uint64_
PBKDF2_temp /= 1024;
if (PBKDF2_temp > UINT32_MAX)
PBKDF2_temp = UINT32_MAX;
hdr->keyblock[
Moreover one second are 1000 ms, not 1024.
Benchmarking of PBKDF always gives to low speed: (from pbkdf_check.c from line 54)
int crypt_pbkdf_
const char *password, size_t password_size,
const char *salt, size_t salt_size,
uint64_t *iter_secs)
{
struct rusage rstart, rend;
int r = 0, step = 0;
long ms = 0;
char buf;
unsigned int iterations;
if (!kdf || !hash)
return -EINVAL;
iterations = 1 << 15;
while (ms < 500) {
if (getrusage(
return -EINVAL;
r = crypt_pbkdf(kdf, hash, password, password_size, salt,
salt_size, &buf, 1, iterations);
if (r < 0)
return r;
if (getrusage(
return -EINVAL;
ms = time_ms(&rstart, &rend);
if (ms > 500)
break;
if (ms <= 62)
iterations <<= 4;
else if (ms <= 125)
iterations <<= 3;
else if (ms <= 250)
iterations <<= 2;
else
iterations <<= 1;
if (++step > 10 || !iterations)
return -EINVAL;
}
if (iter_secs)
*iter_secs = (iterations * 1000) / ms;
return r;
}
It is not as secure as you expect. You can decrypt the device with a master key.
https:/
| description: | updated |
| description: | updated |
| information type: | Private Security → Public Security |
| Seth Arnold (seth-arnold) wrote | #1 |
| Changed in cryptsetup (Ubuntu): | |
| status: | New → Confirmed |
| Jean-Louis Dupond (dupondje) wrote | #3 |
| asi (gmazyland) wrote | #4 |
| Marc Deslauriers (mdeslaur) wrote | #5 |
| asi (gmazyland) wrote | #6 |
> 60000 I get 18 seconds and 10000 is 2 seconds.
60000 / 10000 == 6.
2.1 * 6 == 12.6
2.2 * 6 == 13.2
..
2.9 * 6 == 17.4
Depending upon where exactly your 2.x seconds measurement for 10000 iterations landed, this makes perfect sense.
> Moreover one second are 1000 ms, not 1024.
This is an old trick -- dividing an integer by 1000 is a lot more work than dividing by 1024. If this is only done once it's a bit silly but if it is done in a tight loop it can have surprising impact on the performance.
Thanks