2

I've noticed that linux's cryptsetup utility by default uses the PBKDF2 for a key derivative function (KDF) versus using bcrypt, when bcrypt has more resistance to brute forcing from gpus. Why would cryptsetup use a technically less secure KDF, and opt for a high number of iterations?

john doe
  • 648
  • 4
  • 15
  • What makes you think that PBKDF2 is "less secure" than bcrypt? –  Jul 18 '19 at 13:41
  • Just speculating, but it may have something to do with bcrypt's significantly higher memory usage and Linux's frequent usage in embedded environments, and that PBKDF2 is not inherently _less_ secure, it just requires more iterations to achieve the same security. – Nic Jul 18 '19 at 14:26
  • @MechMK1" when bcrypt has more resistance to brute forcing from gpus" – john doe Jul 18 '19 at 14:28
  • See this question [What's the advantage of using PBKDF2 vs SHA256 to generate an AES encryption key from a passphrase?](https://security.stackexchange.com/q/16354/86735) – kelalaka Jul 18 '19 at 14:53
  • GPUs don't work, but the idea of using a large number of simple cores (compared to a small number of expensive, complex, energy inefficient cores like your PC has) [still applies](https://www.openwall.com/presentations/Passwords14-Energy-Efficient-Cracking/). Bcrypt is small enough to be easily parallelized, potentially improving cracker hash rates. (Even without ASICs; still with relatively inexpensive commodity hardware.) Bcrypt is absolutely better than PBKDF2, but if you have the resources available for better password hashing you should use something better. – Future Security Jul 18 '19 at 16:09
  • 2
    Might be that whoever created it wanted something that could be FIPS 140 certified. PBKDF2 is an approved FIPS 140 algorithm. bcrypt is not. – Swashbuckler Jul 18 '19 at 16:33
  • You should ask the why to the authors, not to us. We can only create educated guesses. I don't think there is a lot of difference when it comes to security of PBKDF2 or bcrypt. Real differences are obtained when a true memory hard function is used like scrypt or a variant of Argon2. – Maarten Bodewes Sep 06 '19 at 01:16
  • Cryptsetup itself doesn't care about the KDF, so I assume you're talking about LUKS, which specifies PBKDF2. Anyway, LUKS2 now supports Argon2 (which is even better than bcrypt). – forest May 20 '21 at 02:18

0 Answers0