Pipes password from kdialog to geli attach

Christian Baer christian.baer at uni-dortmund.de
Mon Sep 24 04:43:32 PDT 2007 

On Mon, 24 Sep 2007 11:19:02 +0200 Pawel Jakub Dawidek wrote:

>> > BTW. sha256 is not needed.
>> Could be a good idea though when mounting several providers with one
>> keyfile/passphrase combination - if they are "salted".
> GELI already provides additional salt and pass passphrase/keyfiles
> through HMAC function.

Ok, my bad. I didn't mean the salt provided by geli, but this:

echo "SeCuRE01${password}sEcUre01" | sha256 | geli attach -p -k - /dev/ad0s1e
      ^^^^^^^^           ^^^^^^^^

The underlined Stuff is the "salt". Not quite politically correct, but I
couldn't really think of anything better to call it.

> It's not about salt. The idea is to call HMAC some number of times on
> the passphrase and use the result. I use 131072 iterations with my
> passphrase, this means that to brute-force my passphrase an attacker
> needs 2^17 more steps to do for each password he wants to try.
> It takes about 2 seconds to calculate the key out of my passphrase
> because of those 2^17 steps.

If I understand you correctly, you are not actually adding more security
to the passphrase but just making sure that each attack ist sufficiently
expensive, meaning each attack takes about two seconds.

How exactly do you do this? IIRC geli doesn't do this by itself.

> He can of course brute-force the result, but it's more or less totally
> random and for HMAC/SHA256 he has 2^256 steps to do.

Well, not really 2^256 steps, just as many as it takes to find the right
one. :-) We have 2^256 combinations but it is pretty unlikely that an
attacker will have to go through all of them to find the correct one.

But let's be optimistic about an attack. Say we need 2^128 of them to find
the right "result" and one attack takes 10ms (which makes 100 tries per
second). Then it would still take

2.589.667.936.993.443.405.352.926.997.197 *years*

to break open the code - if I didn't mess something up on my calculator. :-)
Just as a reference: our universe is estimated to be about 

15.000.000.000 years old.

An attacker will have to get *really* lucky or find a weakness in
Rijndael.

> We are planning to create graphic front-end to the GEOM in my company in
> python, but feel free to do a geli front-end as well:)

How concrete are these plans? I don't really think this is something that 
competition would help with. Sure, there is always more than one solution
for a problem but this problem isn't really one that is crying out for
several ones.

Are you only planning on doing this "some day in the future"? Do you
already have a roadmap? Is this for all of GEOM, including GELI? I realise
that you can't share the details, I just want to avoid duplicating your
work.

Regards
Chris

More information about the freebsd-geom mailing list