From nobody Wed Apr 19 23:17:56 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q1xXs0hDdz45Nbf for ; Wed, 19 Apr 2023 23:18:05 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gold.funkthat.com [IPv6:2001:470:800b::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q1xXr3Ypgz3P1D for ; Wed, 19 Apr 2023 23:18:04 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Authentication-Results: mx1.freebsd.org; none Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 33JNHvrS019035 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 19 Apr 2023 16:17:57 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 33JNHuiI019034; Wed, 19 Apr 2023 16:17:56 -0700 (PDT) (envelope-from jmg) Date: Wed, 19 Apr 2023 16:17:56 -0700 From: John-Mark Gurney To: infoomatic Cc: freebsd-security@FreeBSD.org Subject: Re: geli key derivation function Message-ID: <20230419231756.GM99783@funkthat.com> Mail-Followup-To: infoomatic , freebsd-security@FreeBSD.org References: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Wed, 19 Apr 2023 16:17:57 -0700 (PDT) X-Rspamd-Queue-Id: 4Q1xXr3Ypgz3P1D X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N infoomatic wrote this message on Wed, Apr 19, 2023 at 11:47 +0200: > After reading [1] I would like to approach the developers to improve > gelis KDF. Currently PKCS#5 is used (RFC 2898 from the year 2000), it > would great if some developers agree that this could be improved and > hopefully they have time to implement this. What is the best way to make > this kind of feature request? > [1] https://mjg59.dreamwidth.org/66429.html I read it too, and after a bit of research on argon2, decided not to do anything about it. There's nothing in that post that provides proof that PBKDF2 was broken, it wasn't even implied. Just because it's old doesn't mean that it's insecure, etc. Like HMAC-SHA-1 is still considered secure despite the fact that SHA-1 is broken[1]. One issues is that the function needs to work at boot, so large memory allocations are not an option, also, at boot, only one thread of execution is available, so can't use threads... If anything, we should make it easier to increase the number of rounds, that is, add an option (by default enabled) that on attach, if the decryption took less than 1.5s, that geli immediately reencrypts the key w/ a larger number of rounds (and overwrites the backup)... This would also make it easier to upgrade KDFs if a newer/better one is added. [1] https://crypto.stackexchange.com/questions/26510/why-is-hmac-sha1-still-considered-secure -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."