Date: Mon, 24 Sep 2007 11:19:02 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Christian Baer <christian.baer@uni-dortmund.de> Cc: freebsd-geom@freebsd.org Subject: Re: Pipes password from kdialog to geli attach Message-ID: <20070924091902.GB3320@garage.freebsd.pl> In-Reply-To: <fd69pu$2ip2$1@nermal.rz1.convenimus.net> References: <200709222256.17692.yarodin@gmail.com> <20070923152508.GB1123@garage.freebsd.pl> <fd69pu$2ip2$1@nermal.rz1.convenimus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--8GpibOaaTibBMecb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 23, 2007 at 08:03:42PM +0200, Christian Baer wrote: > On Sun, 23 Sep 2007 17:25:08 +0200 Pawel Jakub Dawidek wrote: >=20 > > BTW. sha256 is not needed. >=20 > Could be a good idea though when mounting several providers with one > keyfile/passphrase combination - if they are "salted". GELI already provides additional salt and pass passphrase/keyfiles through HMAC function. > > Also, as it was mentioned, keyfiles are not preprocessed by PKCS#5v2, >=20 > This however only provides additional protection when analising the disc > and a part of the passphrase is known. A brute force attack against the > passphrase will work just as well, no matter if it is salted or not. It's not about salt. The idea is to call HMAC some number of times on the passphrase and use the result. I use 131072 iterations with my passphrase, this means that to brute-force my passphrase an attacker needs 2^17 more steps to do for each password he wants to try. It takes about 2 seconds to calculate the key out of my passphrase because of those 2^17 steps. He can of course brute-force the result, but it's more or less totally random and for HMAC/SHA256 he has 2^256 steps to do. > > but this is a good example why it's worth adding such functionality. >=20 > Good idea! I've been pondering the idea of writing a front-end for geli > for some time but the fact of this missing feature stopped me because > anyone using this frontend would lose functionality. >=20 > If you make it possible to pass the passphrase on to geli from the command > line or via a pipe or something, then I'll sit down and write the > front-end for it. Provided, you don't expect me to do that in C. :-) > Python would probably be my choice here. We are planning to create graphic front-end to the GEOM in my company in python, but feel free to do a geli front-end as well:) --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --8GpibOaaTibBMecb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFG94EGForvXbEpPzQRAgfSAJwL5v0j5yyptDnUCy3Ttok4UgdOHwCg7nBB qIdla0wchhpllrP8/yZ4uek= =l/Wx -----END PGP SIGNATURE----- --8GpibOaaTibBMecb--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070924091902.GB3320>