[Bug 1928860] Re: Recovery key is low-entropy
Madars
1928860 at bugs.launchpad.net
Thu May 20 23:26:19 UTC 2021
Hi all,
LUKS2 (in zys-format invocation of the corresponding cryptsetup
version) uses Argon2i password-based key deriviation function and
automatically tunes the iteration count/memory cost to be under 2000
milliseconds.
Note that this is timed on the target's machine, and attacker's
machines can be more powerful than that. For example, I created a LUKS
volume on ThinkPad X200 (old hw, but still popular in Coreboot /
Libreboot circles), and a 4 years old Xeon workstation was able to
mount 8 bruteforce-luks passwords/sec against it. (Whereas, for a LUKS
volume generated on the same Xeon machine the passwords/second were
just 2.)
The keyspace of 10^16 recovery keys would mean ~39 610 109 CPU years,
so probably out of reach for current botnets. However, this estimate:
- does not take in account potential improvements in attacker's
capabilities. E.g. Argon2 GPU implementation exists
<https://gitlab.com/omos/argon2-gpu/> (but is yet to be incorporated
into something like hashcat); the author estimates the Nvidia
Tesla/Xeon speed-up to be around 4-6x.
- leaves little margin of error for compromised entropy. For example,
if someone saw first 4 digits of my recovery code, the remaining
keyspace would shrink by 10000x.
So while not threatening in any concrete way, I'd definitely love for
the default to be higher :-) For comparison, BitLocker recovery keys
are 48 decimal digits (not sure how much of it is pure key material
though).
There is, of course, also a balance of security and usability: can
users accurately write down a high-entropy string? Maybe one could get
inspiration from the cryptocurrency world where 12 words from BIP39
wordlist contain 128 bits of entropy (incl 4 bits of checksum), and
can be asked to be entered back (either in full or via random
spot-checks).
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubiquity in Ubuntu.
https://bugs.launchpad.net/bugs/1928860
Title:
Recovery key is low-entropy
Status in ubiquity package in Ubuntu:
Confirmed
Bug description:
Ubuntu 21.04 Desktop ISO includes Ubiquity installer which offers the
user to set up full-disk encryption. In this set-up a recovery key is
automatically generated and added to the system.
The recovery key is 16 decimal digits or ~53.2 bits of entropy so
within capabilities of offline brute-force attacks for well-resourced
attackers.
To confirm, the key is generated here:
https://git.launchpad.net/ubuntu/+source/ubiquity/tree/ubiquity/plugins
/ubi-partman.py#n306 and used here:
https://git.launchpad.net/ubuntu/+source/ubiquity/tree/scripts/plugininstall.py#n915
(see also the attached screenshot).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1928860/+subscriptions
More information about the foundations-bugs
mailing list