Date: Wed, 19 Apr 2023 16:17:56 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: infoomatic <infoomatic@gmx.at> Cc: freebsd-security@FreeBSD.org Subject: Re: geli key derivation function Message-ID: <20230419231756.GM99783@funkthat.com> In-Reply-To: <da2b20a5-3bec-7dce-59ea-8af94a17f44d@gmx.at> References: <da2b20a5-3bec-7dce-59ea-8af94a17f44d@gmx.at>
next in thread | previous in thread | raw e-mail | index | archive | help
infoomatic wrote this message on Wed, Apr 19, 2023 at 11:47 +0200: > After reading [1] I would like to approach the developers to improve > gelis KDF. Currently PKCS#5 is used (RFC 2898 from the year 2000), it > would great if some developers agree that this could be improved and > hopefully they have time to implement this. What is the best way to make > this kind of feature request? > [1] https://mjg59.dreamwidth.org/66429.html I read it too, and after a bit of research on argon2, decided not to do anything about it. There's nothing in that post that provides proof that PBKDF2 was broken, it wasn't even implied. Just because it's old doesn't mean that it's insecure, etc. Like HMAC-SHA-1 is still considered secure despite the fact that SHA-1 is broken[1]. One issues is that the function needs to work at boot, so large memory allocations are not an option, also, at boot, only one thread of execution is available, so can't use threads... If anything, we should make it easier to increase the number of rounds, that is, add an option (by default enabled) that on attach, if the decryption took less than 1.5s, that geli immediately reencrypts the key w/ a larger number of rounds (and overwrites the backup)... This would also make it easier to upgrade KDFs if a newer/better one is added. [1] https://crypto.stackexchange.com/questions/26510/why-is-hmac-sha1-still-considered-secure -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20230419231756.GM99783>