Subject: cgdconfig changes
To: None <current-users@NetBSD.ORG, tech-security@NetBSD.ORG>
From: Roland Dowdeswell <elric@imrryr.org>
List: tech-security
Date: 03/23/2003 21:31:33
I have just made significant changes to cgdconfig.  These changes
should be reflected in the man page and I shall provide a summary
here.

I've added a number of new features, including the -G flag, an ffs
verify_method, allowing multiple keygen stanzas which are xor'ed
together to produce the key and calibrating the iteration count of
PKCS#5 PBKDF2 to the current machine's speed.

NEW PARAMSFILE PARSER

	I have have also modified the paramsfile grammar.  It is
	mostly backwards compatible.  There are statements that
	were not generated by cgdconfig(8) or likely to be entered
	by humans that the old parser would accept but the new
	parser will not, such as:

		algorithm a e s - c b c

	but I think that this will not be much of an issue in
	practice.

	I have been thinking about deprecating the old syntax
	entirely at some point, probably before 2.0 is release,
	but I haven't come up with a decision about that.

THE -G FLAG

	With the -G flag, one can generate a new parameters file
	which will produce the same key as an existing parameters
	file.

	So, if:

		# cgdconfig cgd0 /dev/wd0e params
		/dev/wd0e's passphrase: foobar

	configures your disk, then you can

		# cgdconfig -G params > params2
		old's passphrase: foobar
		new's passphrase: f00b4r

	to create a new parameters file `params2'.  Now either the
	original cgdconfig command or the new command:

		# cgdconfig cgd0 /dev/wd0e params2
		/dev/wd0e's passphrase: f00b4r

	will correctly configure your cgd(4).

	You can do some interesting things with this functionality,
	such as create storedkey paramsfiles on other computers
	for disaster recovery, create paramsfiles that use different
	key generation methods for different environments or allow
	different people to access the same disk using different
	passphrases.

KEYGEN'S ARE STANZAS

	Well, I made the keygen statements into stanzas to allow
	one to specify more than one of them.  In the case that
	more than one is specified they are just xor'ed together
	to produce the final key.  This allows basic n-factor
	authentication behaviour.  The only real n-factor auth that
	we currently support is passphrase/storedkey.  The storedkey
	could be, say, stored on a USB dongle and hence would
	qualify as ``something you have'' to go along with the
	passphrase ``something you know''.

	I'm planning on adding another keygen method at some point
	to make this a little more interesting.

PKCS#5 PBKDF2 ITERATION CALIBRATION

	I cannot stress enough how important having a reasonably
	large iteration count is for PKCS#5 PBKDF2.  People generally
	choose passphrases that are relatively low in entropy and
	thus the passphrase is by far the weakest link for most
	forms of encryption.  The only answer to this problem is
	to increase the challenge of performing a dictionary attack
	on the passphrase.  PKCS#5 PBKDF2 is designed to make this
	more difficult and includes an iteration count to make
	things take a little longer.  What I do in this update is
	calibrate the PKCS#5 PBKDF2 algorithm to take about 1s to
	generate the key from the passphrase on your computer.  1s
	is not very long to wait when configuring the disk, but it
	is an eternity if you are trying to perform a dictionary
	attack.  I used calibration because (1) I couldn't think
	of a good iteration count for both VAX and Alpha, and (2)
	I didn't want to have to keep bumping the iteration count
	every year.

DISCLAIMER

	This was a pretty major roto-till, so I expect that I
	introduced a number of bugs.  Please use the send-pr
	mechanism to report them and I shall fix them as soon as
	I can.

Thanks,

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/