#723729 partman-crypto: LUKS master key is read from /dev/urandom

#723729#5
Date:
2013-09-19 09:38:07 UTC
From:
To:
Hello,

it seems that upon initialization of encrypted volumes, the LUKS master
key is created by reading "entropy" from /dev/urandom which means that
in case the kernel is low on entropy at the time of volume creation,
the volume will be vulnerable to cryptanalysis.  This is very, very
bad, it puts our users at risk.

Sadly, this insecure method for creating the master key is the default
and cryptsetup requires explicit specification of the "--use-random"
switch for /dev/random to be used instead, cf.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714331

I understand that machines without entropy sources will block when
reading from /dev/random, but I sincerely believe that it is
irresponsible to cover that up by silently degrading encryption,
instead of alerting the user to that fact.

Thus I propose to change setup_luks() to:
1. By default, run cryptsetup with "--use-random" in a backgrounded
   job.
2. In case the job doesn't return within a couple of seconds, instruct
   the user to a) either press keys until enough entropy has been
   gathered or b) select "Cancel" and continue in unsafe manner. If the
   user choses b), kill cryptsetup and re-run it with "--use-urandom".
3. In case of unattended installs, abort the installation if cryptsetup
   doesn't return within say 60 seconds.
4. Add a config option ("allow unsafe master key") to allow pre-seeding
   of "--use-urandom".

Best regards,
Thiemo

#723729#10
Date:
2013-09-19 16:57:41 UTC
From:
To:
Quoting Thiemo Nagel (thiemo.nagel@gmail.com):


Don't we have such things?

I'm sure I translated screens where users are prompted to type keys,
move the mouse and do other stuff in order to generate entropy.

I don't really know much abou tpartman-crypto internals, but you might
want to check this first.

#723729#15
Date:
2013-09-19 21:31:00 UTC
From:
To:
I faintly remember something like that, too. But I can't see it in the
code. Have a look at (what I believe to be) the relevant snippet in
setup_luks() from crypto-base.sh:

    log-output -t partman-crypto \
    /sbin/cryptsetup -c $cipher-$iv -s $size luksFormat $device $pass
    if [ $? -ne 0 ]; then
        log "luksFormat failed"
        return 2
    fi

#723729#20
Date:
2013-09-22 12:43:58 UTC
From:
To:
Quoting Regis Boudin (regis@boudin.name):

(let's answer to the bug report)

OK, then it seems that we "only" need someone to use cdebconf-entropy
widgets from partman-crypto, then.

Thiemo, you seem to have great intereste in partman-crypto......:-)

#723729#25
Date:
2013-09-23 09:46:51 UTC
From:
To:
Dear Christian,

I really appreciate your confidence in me... ;-)

BTW: I found this gem in man urandom (emphasis mine): "As a general
rule, /dev/urandom should be used for everything *except* long-lived
GPG/SSL/SSH keys." As the md-crypt master key probably is a prime
example for a long-lived cryptographic key: do you think it would be
adequate to tag the bug "security" and/or to increase its severity?
Which (point) release would you like to aim for to resolve the issue?

Thank you and best regards,
Thiemo

#723729#30
Date:
2013-09-23 16:46:08 UTC
From:
To:
Quoting Thiemo Nagel (thiemo.nagel@gmail.com):


Probably none. I think it's quite unlikely that we go and fix this for
wheezy, and more likely that it's addressed only in jessie.

Sad, but probably realistic..:-)

#723729#35
Date:
2013-09-23 17:37:04 UTC
From:
To:
Christian PERRIER <bubulle@debian.org> (2013-09-23):

We could think of fixing it in wheezy, but surely not before it has been
exposed to unstable/testing users for a while; meaning not the next
point release in any cases.

Mraw,
KiBi.

#723729#40
Date:
2013-10-15 19:46:37 UTC
From:
To:
urandom also is used in crypto-volume wiping. This should be changed,
too. (And a grep for further occurrences might be sensible.)

#723729#45
Date:
2013-10-16 01:40:46 UTC
From:
To:
Hi Thiemo,

Good to have someone reviewing this code.  Use of --use-urandom by
default is a very good catch and fully agree with changing that.

The wipe is already done with a potentially lower level of security,
because it forces AES-128 in XTS mode regardless of what the user chose
for encryption of allocated data:

http://anonscm.debian.org/gitweb/?p=d-i/partman-crypto.git;a=blob;f=lib/crypto-base.sh;h=e0f8e77900d05346a6beddec19b0adc3c9535d12;hb=HEAD#l341

I think that's wrong, and not what a user expects.  If the user is
patient enough to wait for a wipe to complete, at least use their chosen
algorithm and key size instead of something arbitrary?  And then it
makes sense to use /dev/random too.

Or, if they don't care about protecting unallocated blocks, they can
already skip this step.

Sometimes people want to erase quickly whatever's already on disk, but
that's an almost completely different use case perhaps not involving
crypto, where writing all zeroes or some kind of TRIM might be adequate
and even faster.  (AES-128 + XTS was probably used above because it
tends to be fast, but not necessarily on all platforms).

Regards,

#723729#50
Date:
2013-10-16 08:01:56 UTC
From:
To:
Hi Steven,

I share your concerns about the potentially less secure wipe. It has
been addressed yesterday. :-)

http://bugs.debian.org/726448

Cheers,
Thiemo