2

Link to the thread: Recommended options for LUKS (cryptsetup)

I wonder what's the exact difference between SHA1 and SHA512. I know that SHA512 has a longer key but I've read that it doesn't matter which one you chose because LUKS loops the Hash until 1 second real time has passed.

So why are there even the options to SHA512, Whirlpool or SHA256? What is the difference? Seems like there isn't one. I'm a bit confused.

Community
  • 1
user284148
  • 303
  • 5
  • 9
  • Hashing and encrypting are two different concepts. Encryption uses keys to create the encrypted cyphertext, whereas hashes are intended to be one-way. I haven't read up on the linked article, but I'm guessing it uses SHA1 and a set amount of iterations with the goal of taking 1 second on that computer's hardware in order to derive the key used by the encryption. Thats a technique referred to as key-stretching. You could probably rephrase your question with this in mind. – Andrew Hoffman Jan 15 '15 at 14:08
  • And after reading the link, you can see that his benchmarks are separated into two areas. The top one is a list of hashes including the number of iterations necessary to reach the desired amount of time required to derive the key. It is these derived keys that are used in the below encryption algorithms. Take note of the key column, some use 128bit keys, others use 256bit keys, and others use 512bit keys. The hashes used to derive the keys determines their bit length. SHA1 = 160, SHA-256 = 256, SHA-512 = 512. – Andrew Hoffman Jan 15 '15 at 14:20
  • Check out the SHA comparisons, take note of the Output size column: http://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functions – Andrew Hoffman Jan 15 '15 at 14:25
  • @AndrewHoffman I know there is the difference between the key length. But how is SHA1 in FDE compared to SHA512? Is it less secure? Are both the same with the goal to the 1 sec in iterations? If so: why even use SHA512 when SHA512 takes the exact same time than SHA1. Or are there differences in security? – user284148 Jan 15 '15 at 15:31
  • As long as the number of iterations is sufficiently large to ensure that nobody can afford to bruteforce the key, I think thats probably good enough. Collisions have been found in SHA1, but I don't believe that can be considered a vulnerability when you still have to find a collision in a SHA1 that is iterated 100k times. (because they still have to go through your KDF in order to login) For vulnerabilities like that, I'd go ask the peeps over at crypto.stackexchange.com – Andrew Hoffman Jan 15 '15 at 15:47
  • @AndrewHoffman I found that in the VeraCrypt forums:

    Also, the statement that the underlaying hash function doesn't matter is completely false because there are security requirements that must be fulfilled by the hash function in order to the key derivation to be secure. Otherwise, there will be no need for cryptography and we can stick with 30 years old hash functions like MD4!! Anyway, in such security topics, one must carefully check any statement or information before endorsing it or using it.

     – user284148 Jan 15 '15 at 16:00
  • If logging into a system, the user has to get through your gate, which means supplying you a cleartext that after passing through the KDF(alg, n) before used. Thats where I wouldn't consider SHA1 a vulnerability due to collisions being found. For use of creating a key for HDD encryption, the KDF can be bypassed, you just need to find a key that works. For HDD encryption, collisions are a problem for sure. Use cases make all of the difference. For example, for checksums against files, MD5 is perfectly fine. – Andrew Hoffman Jan 15 '15 at 16:10
  • Thanks so far. I'm still confused cuz everbody tells me a different story :( – user284148 Jan 15 '15 at 16:20
  • Let us continue this discussion in chat. – Andrew Hoffman Jan 15 '15 at 17:05
  • If you have a 64 bit CPU, I'd recommend SHA-512 over SHA-256 or SHA-1. – CodesInChaos Jan 15 '15 at 17:10

3 Answers3

1

Let me just use an answer to explain differences between key-stretching and hashing, even though this isn't an answer to your question.

I'm not going to use a real-world example of collisions, because I don't know what they are, so my hash examples will be purely random.

Imagine your password is pass123, let sha1Result = sha1('pass123').

A collision is when bksdajfdjfaskf can also be used, where sha1Result also = sha1('bksdajfdjfaskf').

A KDF is a feedback loop, where sha1Result2 = sha1(sha1Result) and sha1Result3 = sha1(sha1Result2) and so on n number of times.

The below example KDF() function will be KDF(password, hash-algorithm, iteration-count)

Let kdfResult = KDF('pass123', SHA1, 100,000).

Let kdfResult also = sha1('jadfjlkdfjasldfjskdf') because we have a collision, sort-of, but not really.

Because in order for you to log into my system, you must pass through my KDF(), just having a sha1() collision of my KDF() does not help you, because I do not sha1() your supplied cleartext in order to authenticate you, I KDF() your supplied cleartext, and KDF('jadfjlkdfjasldfjskdf', SHA1, 100,000) does not match KDF('pass123', SHA1, 100,000).

This is a different use-case for a KDF than for HDD encryption. For HDD encryption, the KDF is not used to authenticate, but its used as a key for the encryption of the data.

However, that might be what you should reform your question around. Are the SHA1 collision vulnerabilities still a vulnerability when iterated 103,696 times?

Andrew Hoffman
  • 2,007
  • 16
  • 17
1

One important difference between, in particular SHA-1 (or PBKDF2-HMAC-SHA-1) and SHA-512 (or PBKDF2-HMAC-SHA-512) is that SHA-512 (and SHA-384) requires 64-bit operations, which at this time drastically reduce the advantage most attackers have using GPU's over your application using its CPU, because modern GPU's don't have the same speedup on 64-bit operations that they do on 32-bit.

See oclHashcat benchmarks for reference.

Anti-weakpasswords
  • 9,980
  • 2
  • 25
  • 53
0

The main difference between SHA-1 and SHA-256/SHA-512 is that cryptographic weaknesses were discovered with SHA-1 (likely involving collisions). The main difference between SHA-256 and SHA-512 is that the first produces 256 bits (32 bytes)-long digest and the second 512 bits (64 bytes)-long one.

The reason Luks gives you the option to choose a cipher is so that you can select a good trade-off between read latency and encryption strength. If a particular cipher makes reading from your disk very slow, then you have the option to weaken the encryption and get better performance.

There may be a confusion in the way the question was asked. The SHA cryptographic hash functions are used to do "key-stretching" of the disk password. Luks stores the cryptographic master key for the disk in a secure fashion. The disk password is required to unlock the master key, before the master key can be used to read the disk. It is during this unlocking phase that SHA is employed to do what is called key-streatching on the password.

techraf
  • 9,159
  • 11
  • 45
  • 63
Brent Kirkpatrick
  • 950
  • 4
  • 19