Package: cryptsetup Version: 2:1.6.1-1 Severity: normal File: /usr/share/initramfs-tools/scripts/local-top/cryptroot
The initramfs-tools handling for encrypted root device passphrases has a "sleep 3" after each failure to enter the correct passphrase, presumably to deter brute-forcing. However, this is not required. LUKS already has its own built-in secure delay mechanism inherent in the format, by using iterated hashing to force a certain amount of work to check a passphrase (specifically, PBKDF2). Any attempt to brute-force a device passphrase will necessarily incur that computational delay for each passphrase checked (calibrated by default to take about 1 second on the machine that created the encrypted partition), whereas anyone attempting to brute-force the crypto passphrase would simply remove the sleep call (and for that matter the whole shell script, and the keyboard input). So, with that in mind, the sleep 3 has no security value, but it does serve to add extra annoyance to anyone who mistypes their password. Please remove it. - Josh Triplett -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
