2

I've noticed that linux's cryptsetup utility by default uses the PBKDF2 for a key derivative function (KDF) versus using bcrypt, when bcrypt has more resistance to brute forcing from gpus. Why would cryptsetup use a technically less secure KDF, and opt for a high number of iterations?

john doe
  • 708
  • 4
  • 16
  • What makes you think that PBKDF2 is "less secure" than bcrypt? –  Jul 18 '19 at 13:41
  • Just speculating, but it may have something to do with bcrypt's significantly higher memory usage and Linux's frequent usage in embedded environments, and that PBKDF2 is not inherently less secure, it just requires more iterations to achieve the same security. –  Jul 18 '19 at 14:26
  • @MechMK1" when bcrypt has more resistance to brute forcing from gpus" – john doe Jul 18 '19 at 14:28
  • See this question What's the advantage of using PBKDF2 vs SHA256 to generate an AES encryption key from a passphrase? – kelalaka Jul 18 '19 at 14:53
  • GPUs don't work, but the idea of using a large number of simple cores (compared to a small number of expensive, complex, energy inefficient cores like your PC has) still applies. Bcrypt is small enough to be easily parallelized, potentially improving cracker hash rates. (Even without ASICs; still with relatively inexpensive commodity hardware.) Bcrypt is absolutely better than PBKDF2, but if you have the resources available for better password hashing you should use something better. – Future Security Jul 18 '19 at 16:09
  • 2
    Might be that whoever created it wanted something that could be FIPS 140 certified. PBKDF2 is an approved FIPS 140 algorithm. bcrypt is not. – Swashbuckler Jul 18 '19 at 16:33
  • You should ask the why to the authors, not to us. We can only create educated guesses. I don't think there is a lot of difference when it comes to security of PBKDF2 or bcrypt. Real differences are obtained when a true memory hard function is used like scrypt or a variant of Argon2. – Maarten Bodewes Sep 06 '19 at 01:16
  • Cryptsetup itself doesn't care about the KDF, so I assume you're talking about LUKS, which specifies PBKDF2. Anyway, LUKS2 now supports Argon2 (which is even better than bcrypt). – forest May 20 '21 at 02:18

0 Answers0