Re: geli key derivation function

From: John-Mark Gurney <jmg_at_funkthat.com>
Date: Wed, 19 Apr 2023 23:17:56 UTC
infoomatic wrote this message on Wed, Apr 19, 2023 at 11:47 +0200:
> After reading [1] I would like to approach the developers to improve
> gelis KDF. Currently PKCS#5 is used (RFC 2898 from the year 2000), it
> would great if some developers agree that this could be improved and
> hopefully they have time to implement this. What is the best way to make
> this kind of feature request?

> [1] https://mjg59.dreamwidth.org/66429.html

I read it too, and after a bit of research on argon2, decided not to
do anything about it.  There's nothing in that post that provides
proof that PBKDF2 was broken, it wasn't even implied.

Just because it's old doesn't mean that it's insecure, etc.  Like
HMAC-SHA-1 is still considered secure despite the fact that SHA-1 is
broken[1].

One issues is that the function needs to work at boot, so large memory
allocations are not an option, also, at boot, only one thread of execution
is available, so can't use threads...

If anything, we should make it easier to increase the number of rounds,
that is, add an option (by default enabled) that on attach, if the
decryption took less than 1.5s, that geli immediately reencrypts the
key w/ a larger number of rounds (and overwrites the backup)...  This
would also make it easier to upgrade KDFs if a newer/better one is
added.

[1] https://crypto.stackexchange.com/questions/26510/why-is-hmac-sha1-still-considered-secure

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."