3

Weak cryptographic parameters in LUKS1

 1 year ago
source link: https://tails.net/security/argon2id/index.en.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

The cryptographic parameters of LUKS from Tails 5.12 or earlier are weak against a state-sponsored attacker with physical access to your device.

We recommend you change the passphrase of your Persistent Storage and other LUKS encrypted volumes unless you use a long passphrase of 5 random words or more.

Understanding the weakness and its solution

The arms race to protect from brute-force attacks

In all encryption technology that protects data on a disk or USB stick with a password or a passphrase, an attacker can try all possible combinations until they guess your passphrase and unlock the encryption. This type of attack is called a brute-force attack.

A strong password makes brute-force attacks slower and more expensive. The longer the passphrase, the more expensive the brute-force attack becomes.

Some cryptographic parameters can also make each guess of a brute-force attack slower and more expensive, for example by having to do some complicated calculations on each passphrase before being able to try to unlock the encryption with the result of this calculation.

Over the years, computers become faster and cheaper. Encryption technologies regularly upgrade their parameters to find a balance between making encryption fast and usable by users while making brute-force attacks as expensive as possible for attackers.

Strong encryption parameters combined with a strong passphrase make brute-force attacks so slow and so expensive that they are impossible to do in practice. For example, a brute-force attack is impossible to do in practice if it would take thousands of years even with the most powerful supercomputers.

Strength of Argon2id compared to PBKDF2

Until Tails 5.12 (19 April 2023), Tails created LUKS devices version 1 (LUKS1) with PBKDF2 as key derivation function, a calculation run on the passphrase before trying to unlock the encryption with the result.

PBKDF2 is now considered too weak compared to available computing power.

Some cryptographers think this weakness might have already been used against an activist in France but the actual operations by the French police are kept secret.

Since Tails 5.13 (16 May 2023), Tails creates LUKS devices version 2 (LUKS2) with Argon2id as key derivation function.

Tails version
when encryption was created		Release dateLUKS versionKey derivation functionStrength
5.12 or earlier19 April 2023LUKS1PBKDF2Weak
5.13 or later16 May 2023LUKS2Argon2idStrong

We estimated how much electricity it would cost to guess passphrases of different strengths. As we recommend for the Persistent Storage, we evaluated passphrases made of several random words.

Passphrase lengthPBKDF2Argon2id
3 random words$0.1$100
4 random words$1 000$1 000 000
5 random words$10 000 000$10 000 000 000
6 random words$100 000 000 000$100 000 000 000 000
7 random words$1 000 000 000 000 000$1 000 000 000 000 000 000

These numbers are very rough estimates but give an idea of what length of passphrase a very powerful adversary like a state-sponsored attacker could guess.

Even if guessing a passphrase of 3 random words with LUKS1 costs very little energy, any such attack also requires:

  • Physical access to the device
  • Very expensive computer equipment
  • Professional hacking skills

You can see the details of our calculations in #19615 and this spreadsheet.

Other password schemes give too little guarantee

We recommend using passphrases made of several random words because using randomness is the only way to really guarantee the strength of a password.

Using other password schemes give little guarantee over the strength of a password, even if it follows complicated password policies and validates on password strength meters.

For example, a Dutch hacker logged into Donald Trump's Twitter account twice by guessing his passwords, despite that these passwords included several words, were more than 8 characters, and even had special characters. They were definitely not random enough: "maga2020!" and "yourefired".

To understand the maths behind password strength, watch An information theoretic model of privacy and security metrics. Bill Budington from the EFF explains the concept of entropy and its implication on browser fingerprinting and password safety in accessible terms.

Keeping your encryption secure

All users are recommended to upgrade to LUKS2 on all their encrypted devices: Persistent Storage, backup Tails, and other external encrypted volumes.

Depending on the strength of your passphrase, we might also recommend choosing a different passphrase and migrating to another Tails USB stick:

If your passphrase has 4 random words or fewer

If your current passphrase has 4 random words or fewer:

  • Your encryption is insecure with LUKS1.

    You have to upgrade to LUKS2.

  • Your encryption is more secure with LUKS2.

    We still recommend changing your passphrase to be 5 random words or more.

Persistent Storage (4 words of fewer)

To secure your Persistent Storage:

  1. Update to Tails 5.14.

    When starting Tails 5.14 for the first time, Tails will automatically convert your Persistent Storage to LUKS2.

  2. Choose a new passphrase of 5 to 7 random words.

    Display the instructions to generate a passphrase using KeePassXC.

  3. Change your passphrase.

    Display the instructions to change the passphrase of your Persistent Storage.

  4. If you created your Persistent Storage with Tails 5.12 or earlier, we recommend you migrate your entire Tails to a different USB stick and destroy your old Tails USB stick (or at least securely delete the entire device).

    If you don't, the previous LUKS1 data might still be written in some recovery data on the USB stick and could be recovered using advanced data forensics techniques.

    Display the instructions to migrate your Tails to a new USB stick.

Backup Tails (4 words or fewer)

To secure your backup Tails, if you have one:

  1. Start on your main Tails USB stick.

  2. Update your main Tails USB stick to Tails 5.14.

  3. Create a new backup Tails using Tails Installer

    If you created your Persistent Storage with Tails 5.12 or earlier, we recommend you create your new backup Tails on a different USB stick and destroy your old backup Tails (or at least securely delete the entire device).

    If you don't, the previous LUKS1 data might still be written in some recovery data on the USB stick and could be recovered using advanced data forensics techniques.

    Display the instructions to create a new backup.

Other encrypted volumes (4 words or fewer)

To secure your other encrypted volumes, if you have any:

  1. Update to Tails 5.14.

  2. Choose a new passphrase of 5 to 7 random words.

    Display the instructions to generate a passphrase using KeePassXC.

If your encrypted volume is on a traditional hard disk (not an SSD) and you can use the command line:

Otherwise, if your encrypted volume is on a USB stick (or an SSD) or you are not comfortable with the command line:

  • If you created your encrypted volume with Tails 5.13 or later, we recommend you change your passphrase.

    Follow our instructions on changing the passphrase of an existing encrypted partition.

  • If you created your encrypted volume with Tails 5.12 or earlier, we recommend you migrate all your encrypted data to a new encrypted device.

    Follow our instructions on creating and using LUKS encrypted volumes.

    We also recommend you destroy your old device (or at least securely delete the entire device).

    If you don't, the previous LUKS1 data might still be written in some recovery data on the USB stick and could be recovered using advanced data forensics techniques.

If your passphrase has 5 random words

If your current passphrase has 5 random words:

  • Your encryption is secure with LUKS1, except against a very powerful adversary, like a state-sponsored attacker with a huge budget to spend on guessing your passphrase.

    We still recommend you upgrade to LUKS2.

  • Your encryption is even more secure with LUKS2.

Congratulations on following our recommendations!

Persistent Storage (5 words)

To secure your Persistent Storage:

  1. Update to Tails 5.14.

    When starting Tails 5.14 for the first time, Tails will automatically convert your Persistent Storage to LUKS2.

  2. Consider adding another random word to your passphrase.

    Display the instructions to change the passphrase of your Persistent Storage.

  3. If you created your encrypted volume with Tails 5.12 or earlier and are worried about a very powerful adversary, consider migrating your entire Tails to a different USB stick and destroying your old Tails USB stick (or at least securely deleting the entire device).

    If you don't, the previous LUKS1 data might still be written in some recovery data on the USB stick and could be recovered using advanced data forensics techniques.

    Display the instructions to migrate your entire Tails to a new USB stick.

Backup Tails (5 words)

To secure your backup Tails, if you have one:

  1. Start on your main Tails USB stick.

  2. Update your main Tails USB stick to Tails 5.14.

  3. Update your backup or create a new backup Tails using Tails Installer.

    If you created your backup Tails with Tails 5.12 or earlier and are worried about a very powerful adversary, consider creating your new backup Tails on a different USB stick and destroying your old backup Tails (or at least securely deleting the entire device).

    If you don't, the previous LUKS1 data might still be written in some recovery data on the USB stick and could be recovered using advanced data forensics techniques.

    Display the instructions to update your backup or create a new backup.

Other encrypted volumes (5 words)

To secure your other encrypted volumes, if you have any:

  1. Update to Tails 5.14.

  2. Consider adding another random word to your passphrase.

If you created your encrypted volume with Tails 5.12 or earlier and your encrypted volume is on a traditional hard disk (not an SSD) and you can use the command line:

If you create your encrypted volume with Tails 5.12 or earlier and your encrypted volume is on a USB stick (or an SSD) or if you are not comfortable with the command line:

  1. Migrate all your encrypted data to a new encrypted device.

    Follow our instructions on creating and using LUKS encrypted volumes.

  2. If you are worried about a very powerful adversary, consider destroying your old device (or at least securely deleting the entire device).

    If you don't, the previous LUKS1 data might still be written in some recovery data on the USB stick and could be recovered using advanced data forensics techniques.

If your passphrase has 6 random words or more

If your current passphrase has 6 random words or more:

  • Your encryption is secure with LUKS1, even against a very powerful adversary.

    We still recommend you upgrade to LUKS2.

  • Your encryption is even more secure with LUKS2.

Congratulations on following our most secure recommendations!

Persistent Storage (6 words or more)

Your Persistent Storage is already secure, even with LUKS1.

After you upgrade to Tails 5.14 or later, Tails will automatically convert your Persistent Storage to LUKS2 and make your Persistent Storage even more secure.

Backup Tails (6 words or more)

Your backup Tails is already secure, even with LUKS1.

If you want to upgrade your backup Tails to LUKS2 anyway:

  1. Start on your main Tails USB stick.

  2. Update your main Tails USB stick to Tails 5.14.

  3. Update your backup using Tails Installer.

    Display the instructions to update your backup.

Other encrypted volumes (6 words or more)

Your other encrypted volumes are already secure, even with LUKS1.

If you want to upgrade your other encrypted volumes to LUKS2 anyway and you know how to use the command line:

Knowing which version of LUKS is used in your devices

If you know how to use the command line, you can verify whether your encryption uses PBKDF2 or Argon2id.

Persistent Storage

  1. When starting Tails, set up an administration password.

  2. Choose Applications ▸ System Tools ▸ Root Terminal.

  3. Execute the following command:

    lsblk

    The output is a list of the storage devices and partitions on the system. For example:

      NAME                   MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
  loop0                    7:0    0  1.2G  1 loop  /lib/live/mount/rootfs/filesystem.squashfs
  sda                      8:0    1    7G  0 disk
  ├─sda1                   8:1    1    4G  0 part  /lib/live/mount/medium
  └─sda2                   8:2    1    3G  0 part
    └─TailsData_unlocked 253:0    0    3G  0 crypt /run/nosymfollow/live/persistence/TailsData_un...
  zram0                  254:0    0  2.8G  0 disk  [SWAP]

    Your Persistent Storage appears as TailsData_unlocked.

  4. Take note of the partition name of your Persistent Storage, which appears above TailsData_unlocked. In this example, the Persistent Storage is in the partition sda2. Yours might be different.

  5. To verify whether your encrypted volume uses PBKDF2 or Argon2id, execute the following command.

    Replace [partition] with the partition name found in step 4.

    sudo cryptsetup luksDump /dev/[partition]

    In the output:

    • Version indicates the version of LUKS, either 1 or 2.

    • PBKDF indicates the key derivation function, either pbkdf2 or argon2id.

Other encrypted volumes

  1. When starting Tails, set up an administration password.

  2. Choose Applications ▸ System Tools ▸ Root Terminal.

  3. Execute the following command:

    lsblk

    The output is a list of the storage devices and partitions on the system. For example:

      NAME                   MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
  loop0                    7:0    0  1.2G  1 loop  /lib/live/mount/rootfs/filesystem.squashfs
  sda                      8:0    1    7G  0 disk
  ├─sda1                   8:1    1    4G  0 part  /lib/live/mount/medium
  └─sda2                   8:2    1    3G  0 part
    └─TailsData_unlocked 253:0    0    3G  0 crypt /run/nosymfollow/live/persistence/TailsData_un...
  zram0                  254:0    0  2.8G  0 disk  [SWAP]

  4. Plug in your encrypted volume. Keep the encryption locked.

  5. Execute the same command again:

    lsblk

    Your encrypted volume appears as a new device with a list of partitions. Check that the partition size corresponds to your encrypted volume.

      NAME                   MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
  loop0                    7:0    0  1.2G  1 loop  /lib/live/mount/rootfs/filesystem.squashfs
  sda                      8:0    1    7G  0 disk
  ├─sda1                   8:1    1    4G  0 part  /lib/live/mount/medium
  └─sda2                   8:2    1    3G  0 part
    └─TailsData_unlocked 253:0    0    3G  0 crypt /run/nosymfollow/live/persistence/TailsData_un...
  sdb                      8:0    1    7G  0 disk
  └─sdb1                   8:2    1    7G  0 part
  zram0                  254:0    0  2.8G  0 disk  [SWAP]

  6. Take note of the partition name of your encrypted volume. In this example, the new device in the list is sdb and the encrypted volume is in the partition sdb1. Yours might be different.

  7. To verify whether your encrypted volume uses PBKDF2 or Argon2id, execute the following command.

    Replace [partition] with the partition name found in step 6.

    sudo cryptsetup luksDump /dev/[partition]

    In the output:

    • Version indicates the version of LUKS, either 1 or 2.

    • PBKDF indicates the key derivation function, either pbkdf2 or argon2id.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK