FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 06-25-2008, 05:43 AM
Dirk Heinrichs
 
Default loop-aes + extra-ciphers...

Am Mittwoch, 25. Juni 2008 schrieb ext Chris Walters:

> Also, someone said that it was possible to encrypt using multiple
> passphrases using dm-crypt.

That was me. To be correct: I wrote that with LUKS (which is based on
dm-crypt) it is possible to use multiple keys (a key may be a passphrase or
a keyfile on disk). LUKS does this by rserving the first block of an
encrypted volume for meta data. Again: see http://luks.endorphin.org for
the details.

Bye...

Dirk
--
Dirk Heinrichs | Tel: +49 (0)162 234 3408
Configuration Manager | Fax: +49 (0)211 47068 111
Capgemini Deutschland | Mail: dirk.heinrichs@capgemini.com
Wanheimerstraße 68 | Web: http://www.capgemini.com
D-40468 Düsseldorf | ICQ#: 110037733
GPG Public Key C2E467BB | Keyserver: wwwkeys.pgp.net
 
Old 06-25-2008, 01:20 PM
Daniel Iliev
 
Default loop-aes + extra-ciphers...

On Tue, 24 Jun 2008 22:20:20 -0400
Chris Walters <cjw2004d@comcast.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Thanks to all who replied to my previous question. This question is
> related. Has anyone gotten the 'extra-ciphers' (you can get them from
> the loop-aes site) to compile with the loop-aes kernel patch in
> place? If so, could you give me a hint on how to do this?


Perhaps they appear as kernel modules? I'm just guessing.


> Also, someone said that it was possible to encrypt using multiple
> passphrases using dm-crypt. To be clear are we talking about the
> same type of multiple passphrases that can be used with AES and
> Serpent with loop-aes?

Yes, you can have multiple passwords with dm-crypt-luks.


> In other words, you set up a number pg
> passphrases (64 or 65), and the first block uses the first
> passphrase, the second block uses the second one, etc. The 65th
> passpharse is added to the hash of the encryption passphrase.


Never bothered to go so deep in the internals, but...

I had a busyness laptop with non-sensitive (in my opinion) data, but
the managers were quite paranoid about that, so I had to encrypt the
drives to save myself the administrative trouble in case it was stolen.
I followed the gentoo-wiki how-to [1] and found out that encrypting the
hdd visibly slowed down the system.

Rumor has it that the three-letter agencies (CIA, KGB, M.A.V.O. [2],
etc) can break those algorithms relatively easy. On the other hand even
weaker algorithms can protect your data against laptop thieves.

What I'm saying is that it is pointless to get very crazy about strong
and heavy algorithms. After all if your enemies are not after your
hardware, but after your data, they could always physically force you
to reveal the password.


> Also (as if that weren't enough), is it possible to encrypt the
> passphrases or keys in dm-crypt with gnupg, like it is with
> loop-aes? If so, please give examples.
>

Yes, you could do something like:

head /dev/urandom | gpg --symmetric -a > key.gpg
gpg --decrypt key.gpg | cryptsetup luksFormat /dev/some-block-device
gpg --decrypt key.gpg | cryptsetup luksOpen /dev/some-block-device


(The above commands are not correct, their sole purpose is to show the
idea)


[1] System Encryption DM-Crypt with LUKS: http://tinyurl.com/clrk6

[2] M.A.V.O.: http://tinyurl.com/4badqs ; http://tinyurl.com/4chhph



--
Best regards,
Daniel
--
gentoo-user@lists.gentoo.org mailing list
 
Old 06-25-2008, 03:14 PM
Chris Walters
 
Default loop-aes + extra-ciphers...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Daniel Iliev wrote:
| On Tue, 24 Jun 2008 22:20:20 -0400
| Chris Walters <cjw2004d@comcast.net> wrote:
[snip]
| Perhaps they appear as kernel modules? I'm just guessing.

I think that is how they are supposed to appear, but I can't seem to get them
to compile, and the instructions are not too helpful.

[snip]

| Yes, you can have multiple passwords with dm-crypt-luks.

That is good.
[snip

| Never bothered to go so deep in the internals, but...
|
| I had a busyness laptop with non-sensitive (in my opinion) data, but
| the managers were quite paranoid about that, so I had to encrypt the
| drives to save myself the administrative trouble in case it was stolen.
| I followed the gentoo-wiki how-to [1] and found out that encrypting the
| hdd visibly slowed down the system.
|
| Rumor has it that the three-letter agencies (CIA, KGB, M.A.V.O. [2],
| etc) can break those algorithms relatively easy. On the other hand even
| weaker algorithms can protect your data against laptop thieves.

That's more than a rumor. Another three letter agency (NSA) has networks of
supercomputers that can brute force a passphrase is little time. I am majoring
in mathematics, and plan to specialize in cryptology. I doubt they'd let me
publish an algorithm that is very hard to break... It is not that I'm terribly
paranoid about people getting my data, I just want to make it a little harder.
Of course, it is always possible to insert code that will send the unencrypted
data, once you've logged on - not easy for the casual user, but for the guru,
an easy thing.

| What I'm saying is that it is pointless to get very crazy about strong
| and heavy algorithms. After all if your enemies are not after your
| hardware, but after your data, they could always physically force you
| to reveal the password.

Yes, I suppose that they could do that, using torture or something like that.

[snip]
| Yes, you could do something like:
|
| head /dev/urandom | gpg --symmetric -a > key.gpg
| gpg --decrypt key.gpg | cryptsetup luksFormat /dev/some-block-device
| gpg --decrypt key.gpg | cryptsetup luksOpen /dev/some-block-device
|
|
| (The above commands are not correct, their sole purpose is to show the
| idea)

Thanks for the ideas, and for the links. I will be checking them out.

| [1] System Encryption DM-Crypt with LUKS: http://tinyurl.com/clrk6
|
| [2] M.A.V.O.: http://tinyurl.com/4badqs ; http://tinyurl.com/4chhph

Regards,
Chris
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJIYmDJAAoJEIAhA8M9p9DA0skQAOOPam7lkh P6q+8XstmaUX5s
O0zIyEHyIjxi6o2cln60UVXFzac89VvJ4fXYWgA9KcagedGsbW Cljp/92Xynyqng
3lnZUWPZPkr0+M5khbO8EKMfEOlx4klWkbXX7kbyNWiSs1b9uW oJJqcb7fpU0mc8
6/Z/4v2EmkTCML1UHdNYaJkeJL7Tr0OxfK0gt9V8xadcZAyJQbF1Yp ZCqtlBEpdn
Fom/tSwgpNn8Lxj5KdbFuNimflDDs4MlOfIsPUTm95mxlTw79YvTg2 zqKEzmEvFE
Zu3q9867JbStBLUzWJ/sB1WdTWmULm8q1N4tgGC/si02lTHHkpNoX9Sey2fw/w2x
CrGBqALNyl3Buh2jMZY4+ALEr+YKnKIZFEybQtKlj971vtrj9s 6m6yQM0GUoy41g
zzjuIBarrr0NYwZI2rGSF/9aSoksD7GD8JIeLlDuJMpRowwsuU50IwR7cBZ2LfpX
heNoxLdUfCdzeXeKOtyoPJNIvDv1LxwuUvlcxXT9vbU/ufvznCzOXlpKyoOWuL29
+aKJVKtzM4wCX+suqJZqva3npyXQMWnk45MjhE7KNvFA8k/OfBZkdxJ9F187iJi1
UoVNeenYgwogC4Y5jXKXdPNdaiFfe+byrIAmdWZOFYhPMBKY5O XO/pVcgp6kfAMe
DJDh7m7neS1/8IPmfmG0
=SUZm
-----END PGP SIGNATURE-----
--
gentoo-user@lists.gentoo.org mailing list
 
Old 06-25-2008, 05:58 PM
Dirk Heinrichs
 
Default loop-aes + extra-ciphers...

Am Mittwoch, 25. Juni 2008 schrieb Chris Walters:

> | Rumor has it that the three-letter agencies (CIA, KGB, M.A.V.O. [2],
> | etc) can break those algorithms relatively easy. On the other hand even
> | weaker algorithms can protect your data against laptop thieves.
>
> That's more than a rumor. Another three letter agency (NSA) has networks
> of supercomputers that can brute force a passphrase is little time. I am
> majoring in mathematics, and plan to specialize in cryptology.

If it is so easy for them to crack our ciphers (and the one they use
themselves, btw.), why doesn't Kasperky ask them to crack the key of the
GPCode virus which, according to Kaspersky's assumptions, would keep 15
million modern PCs busy for a year.

And, if it is so easy for them, it is as easy for other governments too,
right? That would mean they use a cipher that's easily crackable by other
governments. Do you really think they do?

Bye...

Dirk
 
Old 06-25-2008, 06:51 PM
Sebastian Wiesner
 
Default loop-aes + extra-ciphers...

Chris Walters <cjw2004d@comcast.net> at Wednesday 25 June 2008, 17:14:20

> | Rumor has it that the three-letter agencies (CIA, KGB, M.A.V.O. [2],
> | etc) can break those algorithms relatively easy. On the other hand even
> | weaker algorithms can protect your data against laptop thieves.

You had better used the acronym FUD instead of the word "rumor". US
government itself has declared Rijndael 256 sufficient for classified
information up to top secret. This level of security is shared among all
AES finalists like RC6 or Serpent.

> That's more than a rumor. Another three letter agency (NSA) has networks
> of supercomputers that can brute force a passphrase is little time.

Bruteforcing a _passphrase_ is not the same as bruteforcing a key. An both
of these don't have nothing to do with the algorithm itself. They are
side-attacks ... a weak passphrase is user idiocity, not a cipher
weakness.

> It is not that I'm terribly paranoid about people getting my data, I just
> want to make it a little harder.

What's the point in making the impossible even harder?

> Of course, it is always possible to insert code that will send the
> unencrypted data, once you've logged on - not easy for the casual user,
> but for the guru, an easy thing.

That's operating system security and has nothing to do with cryptology.
Someone having only your hard disk can't inject a rootkit into the system.

--
Freedom is always the freedom of dissenters.
(Rosa Luxemburg)
 
Old 06-25-2008, 06:59 PM
Alan McKinnon
 
Default loop-aes + extra-ciphers...

On Wednesday 25 June 2008, Dirk Heinrichs wrote:

> If it is so easy for them to crack our ciphers (and the one they use
> themselves, btw.), why doesn't Kasperky ask them to crack the key of
> the GPCode virus which, according to Kaspersky's assumptions, would
> keep 15 million modern PCs busy for a year.

There's an interesting side possibility to that one. It's entirely
plausible that the key used to encrypt all those poor sucker Windows
user's files isn't just any old key, but rather a very important public
key that matches a private key the bad guys would like to have - like a
CA's private key.

Maybe cracking that key isn't such a good idea after all. I think this
is a case for hose-pipe decryption.

--
Alan McKinnon
alan dot mckinnon at gmail dot com

--
gentoo-user@lists.gentoo.org mailing list
 
Old 06-25-2008, 08:25 PM
Chris Walters
 
Default loop-aes + extra-ciphers...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Sebastian Wiesner wrote:
| Chris Walters <cjw2004d@comcast.net> at Wednesday 25 June 2008, 17:14:20
|
|> | Rumor has it that the three-letter agencies (CIA, KGB, M.A.V.O. [2],
|> | etc) can break those algorithms relatively easy. On the other hand even
|> | weaker algorithms can protect your data against laptop thieves.
|
| You had better used the acronym FUD instead of the word "rumor". US
| government itself has declared Rijndael 256 sufficient for classified
| information up to top secret. This level of security is shared among all
| AES finalists like RC6 or Serpent.
|
|> That's more than a rumor. Another three letter agency (NSA) has networks
|> of supercomputers that can brute force a passphrase is little time.
|
| Bruteforcing a _passphrase_ is not the same as bruteforcing a key. An both
| of these don't have nothing to do with the algorithm itself. They are
| side-attacks ... a weak passphrase is user idiocity, not a cipher
| weakness.
|
|> It is not that I'm terribly paranoid about people getting my data, I just
|> want to make it a little harder.
|
| What's the point in making the impossible even harder?
|
|> Of course, it is always possible to insert code that will send the
|> unencrypted data, once you've logged on - not easy for the casual user,
|> but for the guru, an easy thing.
|
| That's operating system security and has nothing to do with cryptology.
| Someone having only your hard disk can't inject a rootkit into the system.

Are you a cryptology expert? By the way, nothing is impossible. The only
thing that cryptography attempts to do is reduce the **probability** of
cracking the key and gaining access to the data as low as possible.

As for brute forcing a passphrase: Since most implementations of AES
(Rijndael) use a hash of the passphrase to form the key, it amounts to the same
thing, in practice, as cracking the key.

Cryptology is, at least partly about finding the weakest link, because that is
what is likely to be attacked in any cryptosystem. If the weakest link is
system security or a weak passphrase, then that weakness translates to a
weakness in anything encrypted in such an environment.

The US Government only keeps classified information on non-networked computers
in secure environments, so the cipher used does not matter as much as the other
security measures taken to ensure that the data does not fall into the wrong hands.

A final thought: It is a fact that both the US Navy and the NSA are *very*
interested in cryptology and data security. The NSA also does have large
networks of supercomputers that, using parallel, distributed or concurrent
computing principles can crack keys more quickly than you may think.

Regards,
Chris
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJIYqmqAAoJEIAhA8M9p9DAIo8P/A17VwmkVsscVgfFzpCVDQbw
69WHMmoUvn5GasVRiM2JUi2UeEDpzCuLNxYlQglFWhyvsbplV3 aiJmtzVdbEitsK
hpf7Jt0wNvzi25Cye/j2DJlkGh7PTGRCkrMkoirgg+JTSFC21TzAnJZSUQH3Zhv8
Inb1C53jl8/RV1KTdPOX2W/hNo1VCPfpFnhxhad8fzj59pM1UwMVktwAQtO1JmOW
fQm3/mSbeLyr0L5ZKPlc5shao/QVZ7Zo9xTDU8PFrBCmmt93MODGdbaOY7IsCmsl
6vWfWi1suV1a9ptPpU9ohn7YZtHlEboRMb4/mHCsj46SsI9cOo1KVLpqfiQZxd1t
U1niZU8Cb67+cvEDcQ/q1eIGDMza01NR8UxtF66vHB8WrGKpLYs+ckHqJg9+hgF5
nUiY2RHeyNd3lh4vUWCY15Kh9OfK/LlL9IvGZV2Vpc066aa/EfC3AyiSSc+cMMx9
r4GQijL3wfKaDY9OUh6hJZcSZpBNTZezQ1sNZNMOm0TgDLGtJN Mv5ltHjtZnxmbC
Fus0IRrQVYvXT8ADZW80Ic256RWtUvn73WjBevYswa2T/Oc3o/NWc2sMrxEg8FVs
a7nCa4ErSKIWRbMHTuTZLO3l6+XXjXm0sHk0qQ4JfFNkoV4gyM Zq36HelAb2GsRu
7NJKaZIXlOCuNiYByLfp
=wp+F
-----END PGP SIGNATURE-----
--
gentoo-user@lists.gentoo.org mailing list
 
Old 06-25-2008, 08:31 PM
Chris Walters
 
Default loop-aes + extra-ciphers...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dirk Heinrichs wrote:
| If it is so easy for them to crack our ciphers (and the one they use
| themselves, btw.), why doesn't Kasperky ask them to crack the key of the
| GPCode virus which, according to Kaspersky's assumptions, would keep 15
| million modern PCs busy for a year.
|
| And, if it is so easy for them, it is as easy for other governments too,
| right? That would mean they use a cipher that's easily crackable by other
| governments. Do you really think they do?

I didn't say it was "easy". All I said is that it is possible, with enough
resources, to crack keys. I very much doubt that the NSA would be interested
in cracking the key of the GPCode virus, since they are more directed to the
National Security of the US.

As for other governments, if they have large networks of supercomputers, and
cryptanalysis experts, then it would probably be just as probable that they
could crack any key from any publicly used cipher algorithm.

Regards,
Chris
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJIYqsOAAoJEIAhA8M9p9DAnswP+QEM14WCcl fIljkDDhRGJ/uU
d/XJMrw7wyJxJ+jodCARFlBjnyzMYTNShIaX9jgWWQFOC85XMFAc jjeVejP7bcd5
kfmJyJFJeT0omH/68Mw7tiyN4Ft+ldovSIj2iJKU8BkLszd0E+wizM7MvIrPKyq0
xj5xZNJyimd7zSCE+F6+OHQJ+GrlMMrOv0YWUd9FrfWBW/GB635EU1KDg1YKrn4v
8goRTdS/ImtcXJTttRbOLwSCwi66Cv2RgK6BACeSxzxxkODeHy/qnKSnppxMfPxD
X4WZz+i6VW7+diUJuGojWyFooFTL/RjJOprmAWsNM4V1R0sVsHqzIzwGZSa/BzIM
J5Yzj5LQGpceP0qOVz4fAw41rEVliYlVxQNxEhlxt53UN3tQ5p GvayasZD1mLz6A
QDBZNuQkeC2ggxLPOWF6/qRiLgjFXxZ4viiEDagCGhveGdSqu78DVvlOtCbkw78D
pRdSxIU9Uc77Z7N5ZPpckHooX4argKLiPkyBpuU9alEHZd6Kdj dSdFF4pPx73101
0baSIp4Ato0AZ/wciu9RIAtKwuwtlZ8bzcm3CxKeRJ1Fr6kLVoa0w3r1RkW+/T+C
hFiaLAoLfnqdUrSBDAVUuEkL8W3OOPr1SRsYY9Pp1XNykEPqIs mV+OWgzooDCJly
hUV5npf+EK4AjE5n7nc7
=Cvzy
-----END PGP SIGNATURE-----
--
gentoo-user@lists.gentoo.org mailing list
 
Old 06-25-2008, 08:46 PM
Alan McKinnon
 
Default loop-aes + extra-ciphers...

On Wednesday 25 June 2008, Chris Walters wrote:
> Dirk Heinrichs wrote:
> | If it is so easy for them to crack our ciphers (and the one they
> | use themselves, btw.), why doesn't Kasperky ask them to crack the
> | key of the GPCode virus which, according to Kaspersky's
> | assumptions, would keep 15 million modern PCs busy for a year.
> |
> | And, if it is so easy for them, it is as easy for other governments
> | too, right? That would mean they use a cipher that's easily
> | crackable by other governments. Do you really think they do?
>
> I didn't say it was "easy". All I said is that it is possible, with
> enough resources, to crack keys. I very much doubt that the NSA
> would be interested in cracking the key of the GPCode virus, since
> they are more directed to the National Security of the US.
>
> As for other governments, if they have large networks of
> supercomputers, and cryptanalysis experts, then it would probably be
> just as probable that they could crack any key from any publicly used
> cipher algorithm.

This is the point where I start to ask for a citation and stop listening
to theoretical possibilities and things that might possibly could be.
Unless of course the exact meaning of phrases like "three hundred
thousand million years" has a different meaning in your universe than
it does in mine.



--
Alan McKinnon
alan dot mckinnon at gmail dot com

--
gentoo-user@lists.gentoo.org mailing list
 
Old 06-25-2008, 08:54 PM
Chris Walters
 
Default loop-aes + extra-ciphers...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Alan McKinnon wrote:
| On Wednesday 25 June 2008, Chris Walters wrote:
|> Dirk Heinrichs wrote:
|> | If it is so easy for them to crack our ciphers (and the one they
|> | use themselves, btw.), why doesn't Kasperky ask them to crack the
|> | key of the GPCode virus which, according to Kaspersky's
|> | assumptions, would keep 15 million modern PCs busy for a year.
|> |
|> | And, if it is so easy for them, it is as easy for other governments
|> | too, right? That would mean they use a cipher that's easily
|> | crackable by other governments. Do you really think they do?
|>
|> I didn't say it was "easy". All I said is that it is possible, with
|> enough resources, to crack keys. I very much doubt that the NSA
|> would be interested in cracking the key of the GPCode virus, since
|> they are more directed to the National Security of the US.
|>
|> As for other governments, if they have large networks of
|> supercomputers, and cryptanalysis experts, then it would probably be
|> just as probable that they could crack any key from any publicly used
|> cipher algorithm.
|
| This is the point where I start to ask for a citation and stop listening
| to theoretical possibilities and things that might possibly could be.
| Unless of course the exact meaning of phrases like "three hundred
| thousand million years" has a different meaning in your universe than
| it does in mine.

Whom are you asking for a citation from? For which particular facts? Do you
really doubt that the US NSA has a *lot* of supercomputers? Do you really
doubt that they have experts in mathematics, cryptology, cryptanalysis, and
cryptography experts on staff? Or perhaps you doubt that they can crack any
keys at all...

Chris
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJIYrCEAAoJEIAhA8M9p9DANokQAMVlJk0AoE a11ixiLCeNrEo/
RHkuMpHYeBpEAbWKhqqwdPZPE4voBdT70pbJeK5MXCoMNGpUop W4vYdtEv6WA88Q
LaPHdr9RdOf0n/7LLr6el61sbe41S5DRHLFnh63c83v0hSjyJVir+WoaOMGh0psG
wUist2SyPos7rNrgSs0MeOKM2/qSCpC0OF3HZmMQhPXVQQHSWC03T14EX+dTtSeb
+oxZ8aky0sqzfjvc84ep7zM9WUxN+JFR7bjokpzOwryiZt729n Mxa3SATCcJWvhH
6RHtAK4gK9tXbZJ/70Um7D98lPLTeilImYIVAANhpkA/MwB8UN2d9BHxTdnZ5iCs
GRWAMFllDUFKTmCnx0yXkdP/UQA0VuJeqE2dVv1gn0wUft93I9fxQcGKkGc2X3r3
Vz7crUhLgVZyasXXMe5IRBr6ZbBsSX/f/2zGaTG/jDpFBBVUqV5JE1LBds0uMwre
zvsRicdAuNV2yzFYkkbOzDsupJClHqWv/xqO4gcQqArtYXuMgrPlaiF+nibW5aeM
0tZfFsZk+CE7HkpNx6GPVoCk1hTao5LfZhcx/HNk7e0v0OV4I6YkO7beFLPK4oNM
FXA2xIskjqBjjuAviP59oO0sMJYwuxH4E/DCjjxscqkzowoBc401SauK/1eeuCG4
1MAYx/+jN69eWKxMTmZT
=N/8S
-----END PGP SIGNATURE-----
--
gentoo-user@lists.gentoo.org mailing list
 

Thread Tools




All times are GMT. The time now is 07:27 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org