8

Garrett: PSA: upgrade your LUKS key derivation function

 1 year ago
source link: https://lwn.net/Articles/929343/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Garrett: PSA: upgrade your LUKS key derivation function

[Posted April 18, 2023 by corbet]
Matthew Garrett points out that many Linux systems using encrypted disks were installed with a relatively weak key derivation function that could make it relatively easy for a well-resourced attacker to break the encryption:
So, in these days of attackers with access to a pile of GPUs, a purely computationally expensive KDF is just not a good choice. And, unfortunately, the subject of this story was almost certainly using one of those. Ubuntu 18.04 used the LUKS1 header format, and the only KDF supported in this format is PBKDF2. This is not a memory expensive KDF, and so is vulnerable to GPU-based attacks. But even so, systems using the LUKS2 header format used to default to argon2i, again not a memory expensive KDF. New versions default to argon2id, which is. You want to be using argon2id.

The article includes instructions on how to (carefully) switch an installed system to a more secure setup.

(Log in to post comments)

Garrett: PSA: upgrade your LUKS key derivation function

Posted Apr 18, 2023 15:33 UTC (Tue) by gray_-_wolf (subscriber, #131074) [Link]

Can GRUB read LUKS2 these days or is that still not the case?

Garrett: PSA: upgrade your LUKS key derivation function

Posted Apr 18, 2023 15:35 UTC (Tue) by gray_-_wolf (subscriber, #131074) [Link]

Ah, I should read before asking. LUKS2 is supported, but not argon2id. Shame.

Garrett: PSA: upgrade your LUKS key derivation function

Posted Apr 18, 2023 17:58 UTC (Tue) by dmoulding (subscriber, #95171) [Link]

And even though GRUB2 supports unlocking LUKS2 volumes, the grub-install utility is yet to be updated to be able to correctly and automatically generate a core image that contains everything needed to unlock them. So users wishing to use LUKS2 encrypted boot volumes must do some manual work to create and install a working core image (which can be daunting for those unfamiliar with how GRUB works).

As far as argon2id support, the boot volume can be encrypted using PBKDF2, while using argon2id on all other volumes. This will usually lead to needing to enter two passwords to unlock the machine (one for the bootloader and one for the rest of the system), but works and is an option for anyone who'd like to use argon2id for volumes that matter (often, the boot volume doesn't have anything interesting on it so a weak KDF -- or even no encryption at all -- might not be a big deal).

Garrett: PSA: upgrade your LUKS key derivation function

Posted Apr 18, 2023 15:34 UTC (Tue) by intgr (subscriber, #39733) [Link]

While switching to Argon2id is certainly good advice, even the old LUKS defaults for PBKDF2 were already very strong.

The default is to use enough iterations so unlocking takes 2 seconds worth of time on the host CPU. On my 2019 mid-range CPU that's 3,591,012 iterations. Even with a netbook CPU you should be pushing 1 million.

For comparison, LastPass got in hot water for still having users' passwords with various old defaults: 1 iteration or 500 or 5000 or 100,100. They now recommend 600,000 iterations.
Django web framework also defaults to 600,000 (to be fair, this is a DoS vector, so webapps probably don't want to go unnecessarily high).

Garrett: PSA: upgrade your LUKS key derivation function

Posted Apr 18, 2023 15:46 UTC (Tue) by 5fdb1f (subscriber, #156654) [Link]

Unfortunately it's not really practical to ask a user to type in 128 bits of binary every time they want to unlock their drive, so another approach has to be taken.

My personal philosophy is: Why not? I only need to memorize two passwords (laptop and KeePass), so I might as well make them as hard as possible. I generated them with the equivalent of: 

$ </dev/random base64 | head -c 20

and then spent the next 10-15 minutes committing them to memory. It's not easy, but it's doable. I know I'm safe even if I accidentally use md5 as a KDF, because the passwords themselves have over 128 bits of entropy.

Garrett: PSA: upgrade your LUKS key derivation function

Posted Apr 18, 2023 16:48 UTC (Tue) by rgmoore (✭ supporter ✭, #75) [Link]

My personal philosophy is: Why not?

Because most people are terrible at memorizing that kind of thing. If you can, more power to you, but most people can't. If they try, they'll be at constant risk of forgetting their password, which is a serious security failure in itself. This is a critical point: for most users, KDF-based attacks on their LUKS password are largely theoretical. They only matter if someone steals their device and is willing to put a lot of effort into cracking it. In contrast, forgetting one's password and being locked out of a critical device is a constant, real problem. Practical security should focus more on common, boring problems than rare, dramatic ones.

That's not to say nobody should bother upgrading their KDF. Swapping out a weaker function for a stronger one is exactly the kind of behind-the-scenes change system designers should be doing. It will improve security with no substantial user-visible change. As long as users are careful about it so they don't lock themselves out, switching in place seems like a good plan, too.

Garrett: PSA: upgrade your LUKS key derivation function

Posted Apr 18, 2023 15:57 UTC (Tue) by flussence (subscriber, #85566) [Link]

A few years ago I read a similar thing about GPG having weak KDF defaults. I don't know if or when they changed that, but in any case existing keys aren't going to fix themselves — let this be an extra reminder.

Garrett: PSA: upgrade your LUKS key derivation function

Posted Apr 18, 2023 18:06 UTC (Tue) by Smon (subscriber, #104795) [Link]

It seams like systemd-cryptenroll still uses pbkdf2. Is this considered insecure if used with a tpm2 and a pin?

Garrett: PSA: upgrade your LUKS key derivation function

Posted Apr 18, 2023 20:53 UTC (Tue) by berto (subscriber, #58604) [Link]

systemd-cryptenroll generates a random key to encrypt the LUKS volume so the KDF function does not matter much. The key is sealed by the TPM and protected with a pin. The TPM limits the number of attempts to get the key to one every 10 minutes or so (it's configurable), making dictionary or brute-force attacks impractical (as long as the pin is not too short or simple).

Garrett: PSA: upgrade your LUKS key derivation function

Posted Apr 18, 2023 21:02 UTC (Tue) by lunaryorn (subscriber, #111088) [Link]

The KDF doesn't really matter if the input is already a strong key, such as a truly random recovery key or anything that comes out of FIDO, TPM, etc. You could use these directly as keys, if only cryptsetup let you (t doesn't, LUKS2 always wants a KDF).

If you enroll a passphrase systemd-cryptenroll will pick argon2id, at least in recent versions.

Garrett: PSA: upgrade your LUKS key derivation function

Posted Apr 18, 2023 21:17 UTC (Tue) by pebolle (subscriber, #35204) [Link]

TL;DR.

Don't be an anarchist (or be influenced by whatever other utopian philosophy is in vogue). And if you still choose to follow such a philosophy: make sure your memory is near perfect; never write anything down; reveal as little as possible about yourself (which should be next to nothing); and know as little of your fellow lunatics as is feasible (again, that is next to nothing). Yes, that's pretty hard.

Otherwise you will probably screw up your security. If not, you will run into laws that allow to imprison you for, say, not revealing the password of your encrypted device (that is the best outcome) or into https://xkcd.com/538/ (a not so nice outcome).


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK