[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-user
Subject:    Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
From:       Dale <rdalek1967 () gmail ! com>
Date:       2023-09-23 15:05:04
Message-ID: 94aa676b-989c-91e1-750f-38c88f58bc01 () gmail ! com
[Download RAW message or body]

Wol wrote:
> On 23/09/2023 14:35, Dale wrote:
>> Another question.  Are people trying to work on better encryption
>> given current encryption can be cracked?  I read some things changed
>> after Snowden.  I'm just not sure what and if more changes are needed
>> even today.
>
>> If you wanted the most secure and hard to crack encryption, what
>> would you use?  How does one tell cryptsetup to use it?  I have
>> several encryption options here but no idea what is the best or even
>> just good.
>
> If you want encryption that can't be cracked, go for RSA. It's
> uncrackable.
>
> Now you might be wondering why I say that, given that is a simple,
> well-known attack, but it's true. You can trick me into encoding as
> much plain text as you like, where you can intercept the cipher text,
> and you will not be able to crack the cipher itself. What you need to
> do is get hold of ONE of my key-pairs. The public one of course is
> usually freely available, and if you get hold of the private one it's
> game over.
>
> You can then mathematically solve "the puzzle of the keys" from my
> public pair and recover the private key. This is why RSA keys keep
> getting bigger - it takes more and more brute force to solve.
>
> I don't know enough about ECC - do you crack it or solve it?
>
> Both these ciphers however have a massive weakness - make a mistake
> setting them up and the solution becomes easy. RSA relies on
> multiplying two huge primes together. Dunno what ECC relies on. If one
> of your RSA primes is not, in fact, prime then factoring the huge
> product becomes easy, and recovering all the keys built from it is
> simple.
>
> ECC specifies various parameters, and the official standard ECC
> parameters were discovered to contain a flaw. Was that an intentional
> back door? It's thought it was an accident.
>
> But I think cryptographers have abandoned crackable ciphers now - if
> it's crackable then it's easily crackable. And all other ciphers
> simply rely on the asymmetric effort taken to create a key or solve a
> key.
>
> Cheers,
> Wol
>
>


When I run cryptsetup to encrypt my drives, I have no idea what it is
using.  I assumed the defaults would be the most secure.  This is the
luksDump info, some may be changed or snipped, not sure if it is
something I should make public.  ;-) 


root@fireball / # cryptsetup luksDump /dev/sdo1
LUKS header information
Version:        2
Epoch:          3
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           967257e5-ccc8-48ab-8f46-c6b05dc3bf37
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)

Data segments:
  0: crypt
        offset: 16777216 [bytes]
        length: (whole device)
        cipher: aes-xts-plain64
        sector: 4096 [bytes]

<<<< SNIP >>>>
Digests:
  0: pbkdf2
        Hash:       sha256
        Iterations: 83062
        Salt:       20 d5 f5 3b 51 43 31 29 8a b0 31 dc ad 56 0c 15
                    50 18 aa f8 df a0 4e 9e 8e e1 b2 bb f1 04 67 01
        Digest:     96 18 90 9e 89 7a 16 71 72 d0 97 ec 84 e1 b5 38
                    fc cb ea 97 93 29 19 4c 83 a6 fb 4e e9 ba 79 7b
root@fireball / #


I'm not to clear on this but it looks like it is using 'aes-xts-plain64'
to me.  If so, is that good enough?  Is there better? 

While I'm mostly worried about someone maybe stealing my rig, I also
don't want someone with some skills getting in there either.  Some
crooks may know someone.  ;-)

Dale

:-)  :-) 

[prev in list] [next in list] [prev in thread] [next in thread]