[Bug 1928860] Re: Recovery key is low-entropy

Thu May 20 23:26:19 UTC 2021

Hi all,

LUKS2 (in zys-format invocation of the corresponding cryptsetup
version) uses Argon2i password-based key deriviation function and
automatically tunes the iteration count/memory cost to be under 2000
milliseconds.

Note that this is timed on the target's machine, and attacker's
machines can be more powerful than that. For example, I created a LUKS
volume on ThinkPad X200 (old hw, but still popular in Coreboot /
Libreboot circles), and a 4 years old Xeon workstation was able to
mount 8 bruteforce-luks passwords/sec against it. (Whereas, for a LUKS
volume generated on the same Xeon machine the passwords/second were
just 2.)

The keyspace of 10^16 recovery keys would mean ~39 610 109 CPU years,
so probably out of reach for current botnets. However, this estimate:

- does not take in account potential improvements in attacker's
  capabilities. E.g. Argon2 GPU implementation exists
  <https://gitlab.com/omos/argon2-gpu/> (but is yet to be incorporated
  into something like hashcat); the author estimates the Nvidia
  Tesla/Xeon speed-up to be around 4-6x.

- leaves little margin of error for compromised entropy. For example,
  if someone saw first 4 digits of my recovery code, the remaining
  keyspace would shrink by 10000x.

So while not threatening in any concrete way, I'd definitely love for
the default to be higher :-) For comparison, BitLocker recovery keys
are 48 decimal digits (not sure how much of it is pure key material
though).

There is, of course, also a balance of security and usability: can
users accurately write down a high-entropy string? Maybe one could get
inspiration from the cryptocurrency world where 12 words from BIP39
wordlist contain 128 bits of entropy (incl 4 bits of checksum), and
can be asked to be entered back (either in full or via random
spot-checks).

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubiquity in Ubuntu.
https://bugs.launchpad.net/bugs/1928860

Title:
  Recovery key is low-entropy

Status in ubiquity package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 21.04 Desktop ISO includes Ubiquity installer which offers the
  user to set up full-disk encryption. In this set-up a recovery key is
  automatically generated and added to the system.

  The recovery key is 16 decimal digits or ~53.2 bits of entropy so
  within capabilities of offline brute-force attacks for well-resourced
  attackers.

  To confirm, the key is generated here:
  https://git.launchpad.net/ubuntu/+source/ubiquity/tree/ubiquity/plugins
  /ubi-partman.py#n306 and used here:
  https://git.launchpad.net/ubuntu/+source/ubiquity/tree/scripts/plugininstall.py#n915
  (see also the attached screenshot).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1928860/+subscriptions