LUKS: longer passphrase iteration count

Question

From the manual of cryptsetup:

Passphrase processing: Whenever a passphrase is added to a LUKS header (luksAddKey, luksFormat), the user may specify how much the time the passphrase processing should consume. The time is used to determine the iteration count for PBKDF2 and higher times will offer better protection for low-entropy passphrases, but open will take longer to complete. For passphrases that have entropy higher than the used key length, higher iteration times will not increase security.

Notice the last sentence:

For passphrases that have entropy higher than the used key length, higher iteration times will not increase security.

1. What do they mean by "used key length" ?
   Which key is that, exactly?
2. So if passphrase is longer than that key length - would an iteration of 1 milli-second be sufficient such that its security is identical to the level of security of iteration which is 2000 milli-seconds (2000ms is the default value) ?

Answer 1

Entropy is not length - what this statement is referring to is the relative strength of the password, as compared to the key-length for the symmetric cipher. The short answer is:

1. they key length of the symmetric cipher in use (most likely 256-bit)
2. no

Remember - whatever your password is, if I could try every combination of the number of bits that correspond with the size of your encryption key, then sooner or later I would encounter the correct value. It turns out that this is nice in theory - the pesky reality is that there aren't enough seconds on the clock for me to even try a fraction of this number! So, we look to guessing the password as an alternative strategy...

One way to think of entropy is the level of uncertainty as to what the input/s actually are, if you don't already know them to start with. Ideally you want your adversary to be faced with a large number of possibilities if they were to attempt forcing their way to the encryption key.

The length of the password is only one variable ... but if that word is predictible, then the password itself is considered low entropy. On the other hand, if each character in your password is chosen randomly from an equally likely set of characters, then the longer your password is the higher the entropy.

Another password strategy involves a number of words chosen from a fixed wordlist (eg. see "diceware") that are joined together to produce a more easily remembered passphrase, eg: "wrong donkey capacitor paperclip".

At some point adding more characters to the password (or more words in the case of a passphrase) won't add anything to the relative strength of the key. When the password is hashed to the symmetric encryption key using the key derivation function (kdf), it is limited to the key-size of the specific cryptographic function in use (likely to be 256-bit). There will be multiple password inputs that lead to the same encryption key, though encountering these is highly unlikely with modern algorithms.

This act of converting a password to a key is commonly called a password-based kdf. These password-based kdfs have evolved to add some additional hardness factor (iterations/ memory cost/ etc), so that it becomes infeasible or cost-prohibitive to try all possibilities even when your input is lower entropy (ie. from a smaller pool of possibilities). The lower the entropy (relative strength) of your password, the harder the kdf should be and the slower it should run to produce a key from one input.

Further reading:

• At what point does adding more iterations to PBKDF2 provide no extra security?
• PBKDF2 used to generate an encryption key: long shared secret (password) vs iterations count
• LUKS, how to make strongest possible and reasonable passphrase?