You are not logged in.

#1 2013-05-11 13:02:28

Divinorum
Member
Registered: 2011-08-16
Posts: 44

Forensic detection of LUKS/two-factor authentication setup

During a forensic analysis of a machine that uses dm-crypt with LUKS is it possible to detect if a two-factor authentication setup is present? I.e. two keyslots - one passphrase, one keyfile.

Last edited by Divinorum (2015-05-04 15:02:31)

Offline

#2 2013-05-11 20:09:09

Sikon
Member
Registered: 2011-04-26
Posts: 7

Re: Forensic detection of LUKS/two-factor authentication setup

What exactly do you mean by ‘two-factor authentication’? To me, a two-factor     
authentication involves two different steps in the process of authentication
of a user. For example the user might be asked to provide both a password and   
a code which is obtained via mobile application (or text message, special         
hardware…). For LUKS it is sufficient to provide one password even if the
container has two or more keyslots – that is why I would not call the presence 
of several keyslots ‘two-factor authentication’.                                 
                                                                                 
If you just want to know if there is more than one keyslot                       

cryptsetup luksDump <device>

                                         
is the magic.                                                                     
                                                                                 
Secondly, it does not matter how you input the secret – a 1024 byte long input 
via keyboard is just as valid as a file containing the same data. (The           
statement might be wrong, but that is how I understand cryptsetup’s man page     
and other resources.)

Offline

#3 2013-05-12 01:07:07

Divinorum
Member
Registered: 2011-08-16
Posts: 44

Re: Forensic detection of LUKS/two-factor authentication setup

To be more specific I was referring to whether or not an attacker would be able to detect if a keyfile is used.

Last edited by Divinorum (2015-05-04 15:02:16)

Offline

#4 2013-05-14 11:16:17

Sikon
Member
Registered: 2011-04-26
Posts: 7

Re: Forensic detection of LUKS/two-factor authentication setup

Divinorum wrote:

[…] I wanted to see if there was a way that LUKS may reveal if a keyfile or
passphrase is used. […]

You should consider posting this question to LUKS’/dm-crypt’s mailing list – I
assume there are more people who are able to answer that question.

Offline

#5 2013-05-23 16:04:23

xPm
Member
Registered: 2013-05-23
Posts: 1

Re: Forensic detection of LUKS/two-factor authentication setup

Couldn't you just say you've forgotten the passphrase ?

Offline

#6 2013-06-04 14:49:06

mhogomchungu
Member
Registered: 2013-03-29
Posts: 66

Re: Forensic detection of LUKS/two-factor authentication setup

Divinorum wrote:

[...]but I wanted to see if there was a way that LUKS may reveal if a keyfile or passphrase is used.

as far as LUKS is concerned,a keyfile is just a passphrase in a file.When you give any tool that manage LUKS based volume a keyfile,that tool may read the content of the keyfile and them pass them on as a passphrase and things will work.

truecrypt on the other hand treats keyfile and passphrases differently.If you create a truecrypt volume with a passphrase,you will have to open the volume with the passphrase,put the passphrase in a keyfile and then try to open the volume with the keyfile and the volume will not open.

Offline

Board footer

Powered by FluxBB