[prev in list] [next in list] [prev in thread] [next in thread]
List: gentoo-user
Subject: Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
From: Dale <rdalek1967 () gmail ! com>
Date: 2023-09-23 15:05:04
Message-ID: 94aa676b-989c-91e1-750f-38c88f58bc01 () gmail ! com
[Download RAW message or body]
Wol wrote:
> On 23/09/2023 14:35, Dale wrote:
>> Another question. Are people trying to work on better encryption
>> given current encryption can be cracked? I read some things changed
>> after Snowden. I'm just not sure what and if more changes are needed
>> even today.
>
>> If you wanted the most secure and hard to crack encryption, what
>> would you use? How does one tell cryptsetup to use it? I have
>> several encryption options here but no idea what is the best or even
>> just good.
>
> If you want encryption that can't be cracked, go for RSA. It's
> uncrackable.
>
> Now you might be wondering why I say that, given that is a simple,
> well-known attack, but it's true. You can trick me into encoding as
> much plain text as you like, where you can intercept the cipher text,
> and you will not be able to crack the cipher itself. What you need to
> do is get hold of ONE of my key-pairs. The public one of course is
> usually freely available, and if you get hold of the private one it's
> game over.
>
> You can then mathematically solve "the puzzle of the keys" from my
> public pair and recover the private key. This is why RSA keys keep
> getting bigger - it takes more and more brute force to solve.
>
> I don't know enough about ECC - do you crack it or solve it?
>
> Both these ciphers however have a massive weakness - make a mistake
> setting them up and the solution becomes easy. RSA relies on
> multiplying two huge primes together. Dunno what ECC relies on. If one
> of your RSA primes is not, in fact, prime then factoring the huge
> product becomes easy, and recovering all the keys built from it is
> simple.
>
> ECC specifies various parameters, and the official standard ECC
> parameters were discovered to contain a flaw. Was that an intentional
> back door? It's thought it was an accident.
>
> But I think cryptographers have abandoned crackable ciphers now - if
> it's crackable then it's easily crackable. And all other ciphers
> simply rely on the asymmetric effort taken to create a key or solve a
> key.
>
> Cheers,
> Wol
>
>
When I run cryptsetup to encrypt my drives, I have no idea what it is
using. I assumed the defaults would be the most secure. This is the
luksDump info, some may be changed or snipped, not sure if it is
something I should make public. ;-)
root@fireball / # cryptsetup luksDump /dev/sdo1
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 967257e5-ccc8-48ab-8f46-c6b05dc3bf37
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 4096 [bytes]
<<<< SNIP >>>>
Digests:
0: pbkdf2
Hash: sha256
Iterations: 83062
Salt: 20 d5 f5 3b 51 43 31 29 8a b0 31 dc ad 56 0c 15
50 18 aa f8 df a0 4e 9e 8e e1 b2 bb f1 04 67 01
Digest: 96 18 90 9e 89 7a 16 71 72 d0 97 ec 84 e1 b5 38
fc cb ea 97 93 29 19 4c 83 a6 fb 4e e9 ba 79 7b
root@fireball / #
I'm not to clear on this but it looks like it is using 'aes-xts-plain64'
to me. If so, is that good enough? Is there better?
While I'm mostly worried about someone maybe stealing my rig, I also
don't want someone with some skills getting in there either. Some
crooks may know someone. ;-)
Dale
:-) :-)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic