Re: Crypto in DragonFlyBSD

[Magnus Eriksson <magetoo@xxxxxxxxxxx>]

On Wed, 31 Mar 2010, Matthew Dillon wrote:

>    and block ciphers, is that you need a significant amount of random
>    salt in each randomly accessible unit to protect against various forms
>    of attack.

Against dictionary attacks, as I understand it.  The salt ensures that you 
can't just pre-generate a list of hashes once, from a huge dictionary, but 
have to attack each system separately.

The salt must still be available to the system for it to be able to 
decrypt things, which as far as I can see means outside the encrypted 
volume and readable by root -- and any attacker that can gain physical 
access.  (If it's not available to the system, it's not a salt, but 
something else, like part of the password.)


>    The salt can be applied as part of the encoding/decoding
>    stream (it doesn't have to be all up-front), but the question is where
>    does one store that salt?

/etc/cgd/<device>.  :-)

(not world readable)


MAgnus