1 |
On Wednesday 30 Apr 2014 03:50:12 Rick "Zero_Chaos" Farina wrote: |
2 |
> On 04/29/2014 03:58 PM, Walter Dnes wrote: |
3 |
> > On Tue, Apr 29, 2014 at 01:32:46PM -0400, Rick "Zero_Chaos" Farina wrote |
4 |
> > |
5 |
> >> On 04/29/2014 12:27 PM, Walter Dnes wrote: |
6 |
> >>> Another couple of things I didn't realize. According to |
7 |
> >>> |
8 |
> >>> https://wiki.gentoo.org/wiki/Dm-crypt I have to build in support for |
9 |
> >>> the crypt target in the kernel. It also suggests |
10 |
> >>> <*> SHA224 and SHA256 digest algorithm |
11 |
> >>> |
12 |
> >>> Any comments on their strength? I'm not worried about the NSA or |
13 |
> >>> CSIS as much as opportunistic criminals. |
14 |
|
15 |
If it's only opportunistic criminals you're worried about then SHA1 with its |
16 |
160-bit string is ample and so is MD5 with its 128-bit. Both are considered |
17 |
weak hashes these days and should be avoided for business critical set ups, |
18 |
but they are soooooo widely used (esp. by internet browsers, VPN routers, |
19 |
etc.) that it would be difficult to upgrade everything overnight to SHA2. |
20 |
|
21 |
|
22 |
> >> I use whirlpool. Why you ask? It sounds cool! Also it supported 512bit |
23 |
> >> which seems nice. |
24 |
|
25 |
Whirlpool is of course better, because it has an even longer 521-bit string. |
26 |
|
27 |
|
28 |
> > Sorry to pester you, but I'm beginning to realize just how much is |
29 |
> > involved here that I'm a newbie at. Two more questions... |
30 |
> > |
31 |
> > |
32 |
> > 1) If multiple encryption algorithms are enabled in the kernel, how does |
33 |
> > the system decide which one to use? |
34 |
> |
35 |
> dmcrypt/luks stores the proper encryption algorithm, as long as the |
36 |
> correct one is supported you are all set. |
37 |
|
38 |
It will use the default. Run: |
39 |
|
40 |
cryptsetup -h |
41 |
|
42 |
to see the default that it was compiled with. |
43 |
|
44 |
Or, |
45 |
|
46 |
it will use the --hash and --cipher options that you specify when you run |
47 |
cryptsetup. Have a look at the fine manual. |
48 |
|
49 |
|
50 |
> > 2) I assume that if I want to use the same encrypted USB key on 2 or |
51 |
> > more machines, then the kernels of all the machines must be built with |
52 |
> > the same encryption algorithms? |
53 |
> |
54 |
> No, but they do both need the encryption and hashing algorithm you are |
55 |
> using. |
56 |
|
57 |
As I understand it, but may be wrong because I have not used LUKS you need to |
58 |
have the same ciphers and hashes on both machines. Thankfully, all PCs these |
59 |
days have aes and sha1. :-) |
60 |
|
61 |
-- |
62 |
Regards, |
63 |
Mick |