Re: kernel encryption in 2.2.10

Alexander Kjeldaas (astor@fast.no)
Mon, 6 Sep 1999 14:32:45 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Riley Williams: "Re: driver for 3COM USR PCI v.90 modem?"
Previous message: Steve Underwood: "Re: > 15,000 Simultaneous Connections"
In reply to: Mike Jagdis: "Re: > 15,000 Simultaneous Connections"
Next in thread: Andreas Schwab: "Re: > 15,000 Simultaneous Connections"

On Mon, Sep 06, 1999 at 11:37:00AM +0000, trb@eastpac.com.au wrote:
> Hi,
>
> I've been trying to get kernel encryption, specifically IDEA, running with the
> 2.2.10 kernel. I patched the kernel with patch-int-2.2.10.4 from kerneli.org, and
> turned on all the relevant config options:
>
> CONFIG_CIPHERS=y
> CONFIG_CIPHER_BLOWFISH=m
> CONFIG_CIPHER_DES=m
> CONFIG_CIPHER_DFC=m
> CONFIG_CIPHER_IDEA=m
> CONFIG_CIPHER_MARS=m
> CONFIG_CIPHER_RC5=m
> CONFIG_CIPHER_RC6=m
> CONFIG_CIPHER_SERPENT=m
>
> CONFIG_BLK_DEV_LOOP=y
> CONFIG_BLK_DEV_LOOP_USE_REL_BLOCK=y
> CONFIG_BLK_DEV_LOOP_GEN=y
> # CONFIG_BLK_DEV_LOOP_CAST is not set
> CONFIG_BLK_DEV_LOOP_FISH2=m
>
> I also obtained util-linux-2.9u and applied util-linux-2.9s.patch to it, to
> build suitable mount, umount and losetup tools.
>
> Now when I try to setup an encrypted filesystem using the loopback device (with
> anything other than XOR), I get e.g. :
>
> root@lethe /tmp> losetup -e DES /dev/loop0 image
> Password:
> Init (up to 16 hex digits):
> ioctl: LOOP_SET_STATUS: Invalid argument
>
> I noticed some previous discussion on the list of precisely the same problem,
> but it usually ended with an admonition to apply the crypto patch to the kernel
> (which I have already done); however there was one interesting response from
> arslanm@gate.marketweb.net.tr citing loop.c :
>

The util-linux patch for DES uses the result of getpass() directly.
This means that it requires the user to write a password containing
only characters that already have correct parity. It will also in
most cases give you a lot less than 56-bit security since you usually
don't enter characters with values above 128. This also means that
you can't type a long sentence, but only a password consisting of 8
characters. I'm not sure why it ever worked, but since DES is bad
anyway, I decided that you could as well be backwards compatible. In
my opinion, no new users should use DES.

The util-linux patch for all the newer ciphers use RIPEMD-160 to hash
the password. The hash value is then forwarded to the kernel. 128 or
160 bits of the hash are forwarded depending on the cipher.

I've updated the util-linux patch in kerneli to print a warning if
you use DES.

astor

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Riley Williams: "Re: driver for 3COM USR PCI v.90 modem?"
Previous message: Steve Underwood: "Re: > 15,000 Simultaneous Connections"
In reply to: Mike Jagdis: "Re: > 15,000 Simultaneous Connections"
Next in thread: Andreas Schwab: "Re: > 15,000 Simultaneous Connections"