using a random file as password to dm-crypt

qwijibow · 11-06-2004, 06:15 PM

In an attempt to get the very higest level of securety on my rncrypted home partiton,
rather than use a password, i decided to use a random file.

i filled a floppy disk like so....

Code:

dd if=/dev/urandom of=/dev/fd0

like expected, the disk was filled with random data.

and the home partiton is mounted from the local startup script like so...

Code:

losetup /dev/loop7 /home/chris.img
cryptsetup -c aes -s 256 -d /dev/fd0 -b `blockdev --getsize /dev/loop7` -h ripemd160  create chris /dev/loop7
mount /dev/mapper/chris /home/chris/

if the wrong floopy disk (or no floppy disk) is inserted before the local script runs, then my ecrypted partiton is not mounted, but other users with non encrypted disks are allowed to login.

this works fine except for one thing, i was expecting this setup to use the whole 1.44 megs of data as the password, but the disk activity only lasts a few seconds, and it takes 30 seconds to read the whole disk...

how do i work out how much random data is being used as the password ?
im worred that maybe the encryption program is finding a terminating null and stoping reading, leaving me wth a very short passoword.

the reason ive setup such a system, is to stop people picking short predicatable passwords, this is pointless if the system is only using 5 random characters (easily brute forced !)

any ideas ?

ive tried altering the keysize after the -s option, but 256 bits is its maximum, and i believe this only apply's the the key after its been hashed.

thanks.

SciYro · 11-06-2004, 10:56 PM

oooo, very nice approach .. ill have to do that for my documents (as well as a semi-random login password)

but try to fill the disk again and see ... also it might be the hashed thingy you spoke of .. maybe it can only hash X amount of characters ? ... maybe search thru hte floppy using some program to search for things like EOL or EOF

n0sr · 11-06-2004, 11:20 PM

You might try using this command....

Code:

dd if=/dev/urandom of=/dev/fd0 bs=1k count=1440

That will force dd to write to the whole diskette.

qwijibow · 11-07-2004, 03:53 PM

How should i go about searching for EOF / EOL ?
does EOF and EOL have an ascii code ?
or should i look for the actual string "EOF" ?

thanks for the hep so far

Matir · 11-08-2004, 11:37 AM

Of course EOF and EOL (really \n) have ascii codes. Most likely, however, is that only 256 bits of data are being used, or something along those lines. Note this:

If you are using a crypto algorithm with a keysize of N bits, then that is the maximum security you will get. It's just like DES using only 8 characters of a password... a 10 character password adds no additional security.

Even after hashing ANY amount of data, you still end up with one of 2^256 combinations for your key... meaning multiple hash datas could give you the SAME key.

qwijibow · 11-08-2004, 11:50 AM

there are approx 2^120 atoms in the universe (to put things into pursective)
so nobody ever attmepts to brute force the hashed key.

its much better to brute force the password that is hasjed to create the key.
therefore.... Securetty is Optimal when all the possible combinations of the hash (2^256) is equal to all the possible combinations of the password that is to be hashed... which means 32 bytes.

for optimal security, the sytem i setup MUST be using atleast 32 bytes from the floppy....
are there any ways of testing this ?

the only way i can think of, is to setup anouther floppy, and only copy over the first 31 bytes from the correct floppy.
if this 1 byte short floppy correctly decrypts the partition. then i am not using optimal security.

Matir · 11-08-2004, 11:57 AM

to try this:

insert key disk

Code:

dd if=/dev/fd0 of=fd0.img bs=1 count=31

then just use cryptsetup -d fd0.img