Crypto in DragonFlyBSD

Magnus Eriksson magetoo at fastmail.fm
Fri Apr 2 16:30:07 PDT 2010


On Fri, 2 Apr 2010, Matthew Dillon wrote:

  The system does not have to know what the salt is before hand.  The
  idea is for it to be random junk.  But the encrypted salt does have
  to be recorded in the block or stream somewhere and that takes space.
You mean, it would prefix the data in the stream?  (It can't be inside the 
encrypted stream if you need the salt to decrypt it.)


  DragonFly's HAMMER filesystem could encrypt individual file blocks
  and store the encrypted salt in the B-Tree record referencing the
  block.  The decrypted salt could then be used to adjust the stream
  cipher for the rest of the block.
It would be a good idea to ask a cryptographer about any fancy 
non-standard plans.  I'm worried that any enhancements us mere mortals 
can come up with are either already well known, and incorporated in some 
good crypto algorithm, or known to weaken the crypto algorithm.


  Since the salt is random there is no attack which works on it that
  helps the attacker guess the primary encryption key.  The salt in
  the encryption stream or block scrambles the rest of the data block
  and makes it more difficult for pattern attacks to succeed. e.g.
  where a user writes known patterns and is somehow able to access
  the encrypted result and then backhack the key that way.
Hmm.

Right, but this still assumes that the salt / the seed for the random 
numbers generator is known by the system (stored somewhere), but kept from 
the user / attacker.  That will not help against an attacker that gains 
root and/or physical access.

(There is also an active console cracking scene, which indicates that even 
if you have very smart people, and lots of money to spend on custom 
hardware designed specifically not to give up its secrets, this is a hard 
problem.)

And if you are only guarding against non-root users, you might be able to 
acheive the same thing more simply.  The "salt" in the above description 
sounds more like a secret part of the en/decryption key; instead you might 
just pick a longer encryption key, equal to the lenghts of the two 
separate keys.  (And by the way, isn't this exactly the "trick" that made 
Windows NT passwords so bad?)

MAgnus






More information about the Kernel mailing list