I later found a nice article documenting the entire system. It
also includes references to JohnTheRipper having a module for
this. Well, this was more fun.
Off-topic, but my personal work sometimes ends up on the front page, and I'm always amazed how much reposting there is on HN - probably more than on Reddit and similar sites. Say, here's my stuff:
The process seems quite random; sometimes, the same link is submitted four times and lingers at score 1, and then some random dude's fifth attempt goes to #1. May be an interesting thing to graph (and get a #1 story on HN out of =).
Doing something for the sake of learning doesn't ever feel like wasted time. When I was first getting into networking I wanted to connect two computers directly without have a router or a switch between them. I carefully researched how to cut and crimp an ethernet cable into be a crossover cable, and successfully connected the two.
Feeling proud of myself, I scrolled farther down the page that described it only to read that most NICs will automatically do it for you and you don't need to make crossover cables any more. I'm still glad I took the time.
It checks the key against some kind of authenticator in the superblock, which is what one would expect from any kind of offline crypto.
The real problem is that FDE in the usual sense is (from the strict cryptological sense) very weak encryption, because it cannot afford to expand the encrypted data and has to allow random access (so no random IVs, no authentication tags...). It's relatively trivial to design FDE scheme that is fully secure, but it has 2x block io-op amplification for both read and write, which means unusable performance (certainly on rotating disks, probably even on SSD). Various wide-block encryption modes (AES-XTS etc.) attempt to mitigate attack vectors caused by this, but are secure only under certain FDE-specific attack models.
It's not doing very much before validating, which would reduce the risk. But more importantly it doesn't have any information to leak. The whole block of data is public.
I... Actually didn't think of that, to be honest. But it would have involved rebuilding the OpenBSD kernel, so it probably wasn't easier. Also, the tool wouldn't have been reusable. But yeah, good thinking.
Does anyone know if this is the default? If I'm understanding this correctly, it's around 10 ms of key derivation time; on FreeBSD we default to 2 s, which should make cracking disk encryption 200x more expensive.
What key derivation time would you advise targeting for a server with 20-100 disks, where each disk has a unique KDF salt?
How many times stronger would scrypt targeting 2s be compared to PBKDF2 targeting 2s? If using scrypt for many disks would it then be safe to target 10-100ms so as not to impact on reboot times?
In essence, that's precisely what he's doing. The exact on-disk metadata layout may not be documented anywhere, so he pieced it together using the structure definitions in the source code.
For those reading along at home, what is being done here is a run-of-the-mill bruteforce, this article could be about any FDE implementation.
So now the real question .. what was the password? :-)
I've had to do a similar thing with OpenBSD's softraid. In an unfortunate incident with a problematic hard drive that mostly works but sometimes gets stuck reading / clicking for a while. That while once took too long and resulted in a timeout, softraid flagged the disk as being offline. I started a rebuild, but later on got a bit paranoid and ran smart checks on both of the mirrored disks. Well, the other disk didn't respond well to smart and got itself flagged offline. Now my softraid mirror was down with one disk halfway through a rebuild and the other disk just fine but flagged bad.
Recovery was a matter of finding the right metadata bit on the disk that tells softraid about the disk's status. That was the hardest part (and not that hard, but it certainly felt like reverse-engineering the system). I flipped a byte with dd and my brought the raid up again.
Another way to look at this, is to ask yourself what your threat model is. For example, if your primary concern is losing your laptop while traveling, then writing down your pass phrase and keeping it with other important paperwork (tax returns, property deeds, birth certificate etc) in a home safe or a bank safety deposit box seems totally reasonable. If you have concerns about Protecting your data from law enforcement, then the pass phrase needs to be stored out of the reach of a warrant - a trickier proposition.
Indeed. Good data encryption is also far stronger than the things like locks that people make analogies to in the real world. There is essentially no locksmith. If you lose the key, your data is gone forever. As illustrated by this article, if you have weak passphrases there are ways around it, so I suppose it is possible to "tune" the strength of your encryption that way.
I briefly went all-in on security, cryptocurrency, tor, etc., and had a locked down desktop machine encrypted with LUKS. Then, I moved, and it took me a few weeks to get the computer set back up. In that time, I'd forgotten my passphrase. So, I have a desktop machine containing (at least) a couple hundred bucks worth of cryptocurrencies that I can't open. I still think I remember the passphrase I used, but it doesn't work, so I'm obviously missing a word or a punctuation addition (I used the CorrectHorseBatteryStaple method of making a memorable passphrase in this case).
I've been known to do dumb things, and going down the rabbit hole of cryptocurrencies and how to securely use said currencies was one of them. These days I put everything of importance into Google drive, Dropbox, and/or git (not github...a privately hosted git that I access via ssh and runs on a VM on hardware I own in a data center I trust). If it is sensitive, it is encrypted with a passphrase I've been using for a couple decades, and so it unlikely to be forgotten. A high capability attacker could thwart my protections, I'm sure, but I don't have any reason to believe a high capability attacker has any interest in me.
And, I don't hold much cryptocurrency, and what I do hold is at Coinbase, just sitting there on the off chance Bitcoin really does take over the world and a small amount turns into a big value.
He probably just misremembered a few characters of his password, like mypass1234, mypass1235, mypass4321, etc. It would be time consuming for human to try all the 4 digits but trivial for computer to try out the 9999 enumeration.
The complication is finding out the algorithm used and the parameters applied to the algorithm. Once figured out, he wrote the small program to brute force the small enumeration.
This is a very good illustration of the need for long and non-trivial password; otherwise, it can be easily guessed.
I do that too! I have the same "suffix" that's on all of them that I leave off the written version for a tiny bit of extra security. It's just a few characters that I've been using consistently for years on written-down passwords.
> 1) store passwords in the password manager, even the ones you think aren't important.
Losing the password that unlocks full disk encryption (FDE) is like losing the password that unlocks your password manager. At some point you have to have something stored only in your mind.
Now sure you could have your FDE password stored in a password manager as well but that's probably not a good idea. Also, compared to just about everything else saved in a password manager, you'd have to manually type the FDE password at boot. You can't copy/paste it as if anything your password manager would be running on a different computer.
How would backing up help? If you back up the encrypted data, then your backup is still useless because you don't have your password. If you back up an unencrypted copy, that defeats the purpose of encryption.
Scribbling the passwords in a notebook isn't a bad idea (although don't write "My Passwords" on the front cover). The security of physical things is well understood by most humans.
[+] [-] 0xmohit|9 years ago|reply
Wonder how many times are the same items posted: https://news.ycombinator.com/from?site=filippo.io
[+] [-] f-|9 years ago|reply
https://news.ycombinator.com/from?site=lcamtuf.blogspot.com
https://news.ycombinator.com/from?site=coredump.cx
The process seems quite random; sometimes, the same link is submitted four times and lingers at score 1, and then some random dude's fifth attempt goes to #1. May be an interesting thing to graph (and get a #1 story on HN out of =).
[+] [-] morecoffee|9 years ago|reply
Feeling proud of myself, I scrolled farther down the page that described it only to read that most NICs will automatically do it for you and you don't need to make crossover cables any more. I'm still glad I took the time.
[+] [-] jl6|9 years ago|reply
[+] [-] 0xmohit|9 years ago|reply
[+] [-] camtarn|9 years ago|reply
https://blog.filippo.io/so-i-lost-the-password-of-my-nas/
[+] [-] bcook|9 years ago|reply
[+] [-] moyix|9 years ago|reply
[1] https://moxie.org/blog/the-cryptographic-doom-principle/
[+] [-] FiloSottile|9 years ago|reply
FDE doesn't have space for and can't afford (because of the random read patterns) authentication tags, so it uses modes like AES-XTS instead.
What that HMAC does is just confirming that the passphrase is the right one. Think of it as a checksum, not as authentication.
[+] [-] JoachimSchipper|9 years ago|reply
[+] [-] dfox|9 years ago|reply
The real problem is that FDE in the usual sense is (from the strict cryptological sense) very weak encryption, because it cannot afford to expand the encrypted data and has to allow random access (so no random IVs, no authentication tags...). It's relatively trivial to design FDE scheme that is fully secure, but it has 2x block io-op amplification for both read and write, which means unusable performance (certainly on rotating disks, probably even on SSD). Various wide-block encryption modes (AES-XTS etc.) attempt to mitigate attack vectors caused by this, but are secure only under certain FDE-specific attack models.
[Edit: formatting and last sentence]
[+] [-] Dylan16807|9 years ago|reply
[+] [-] Drdrdrq|9 years ago|reply
[+] [-] FiloSottile|9 years ago|reply
[+] [-] cperciva|9 years ago|reply
Does anyone know if this is the default? If I'm understanding this correctly, it's around 10 ms of key derivation time; on FreeBSD we default to 2 s, which should make cracking disk encryption 200x more expensive.
[+] [-] FiloSottile|9 years ago|reply
[+] [-] zaroth|9 years ago|reply
[+] [-] _urga|9 years ago|reply
How many times stronger would scrypt targeting 2s be compared to PBKDF2 targeting 2s? If using scrypt for many disks would it then be safe to target 10-100ms so as not to impact on reboot times?
[+] [-] zakk|9 years ago|reply
[+] [-] notaplumber|9 years ago|reply
For those reading along at home, what is being done here is a run-of-the-mill bruteforce, this article could be about any FDE implementation.
So now the real question .. what was the password? :-)
[+] [-] clarry|9 years ago|reply
Recovery was a matter of finding the right metadata bit on the disk that tells softraid about the disk's status. That was the hardest part (and not that hard, but it certainly felt like reverse-engineering the system). I flipped a byte with dd and my brought the raid up again.
[+] [-] z3t4|9 years ago|reply
[+] [-] pacaro|9 years ago|reply
[+] [-] userbinator|9 years ago|reply
[+] [-] SwellJoe|9 years ago|reply
I've been known to do dumb things, and going down the rabbit hole of cryptocurrencies and how to securely use said currencies was one of them. These days I put everything of importance into Google drive, Dropbox, and/or git (not github...a privately hosted git that I access via ssh and runs on a VM on hardware I own in a data center I trust). If it is sensitive, it is encrypted with a passphrase I've been using for a couple decades, and so it unlikely to be forgotten. A high capability attacker could thwart my protections, I'm sure, but I don't have any reason to believe a high capability attacker has any interest in me.
And, I don't hold much cryptocurrency, and what I do hold is at Coinbase, just sitting there on the off chance Bitcoin really does take over the world and a small amount turns into a big value.
[+] [-] wglb|9 years ago|reply
Note what George Smiley is known to reply: "There was every reason":
Peter Guillam: Well, at the time there was no reason to suppose the phone was tapped... George Smiley: There was every reason.
(from http://www.imdb.com/character/ch0030043/quotes as well as the book)
[+] [-] witty_username|9 years ago|reply
[+] [-] _ph_|9 years ago|reply
[+] [-] ww520|9 years ago|reply
The complication is finding out the algorithm used and the parameters applied to the algorithm. Once figured out, he wrote the small program to brute force the small enumeration.
This is a very good illustration of the need for long and non-trivial password; otherwise, it can be easily guessed.
[+] [-] Tuna-Fish|9 years ago|reply
[+] [-] lima|9 years ago|reply
[+] [-] ams6110|9 years ago|reply
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] EGreg|9 years ago|reply
[+] [-] rwallace|9 years ago|reply
[+] [-] AWildDHHAppears|9 years ago|reply
[+] [-] yuja_wang|9 years ago|reply
[+] [-] imaginenore|9 years ago|reply
1) store passwords in the password manager, even the ones you think aren't important.
2) backup your data
[+] [-] koolba|9 years ago|reply
Losing the password that unlocks full disk encryption (FDE) is like losing the password that unlocks your password manager. At some point you have to have something stored only in your mind.
Now sure you could have your FDE password stored in a password manager as well but that's probably not a good idea. Also, compared to just about everything else saved in a password manager, you'd have to manually type the FDE password at boot. You can't copy/paste it as if anything your password manager would be running on a different computer.
[+] [-] colejohnson66|9 years ago|reply
[+] [-] rwmj|9 years ago|reply
[+] [-] manigandham|9 years ago|reply