Arch Linux

Divinorum

Member

Registered: 2011-08-16

Posts: 44

Forensic detection of LUKS/two-factor authentication setup

During a forensic analysis of a machine that uses dm-crypt with LUKS is it possible to detect if a two-factor authentication setup is present? I.e. two keyslots - one passphrase, one keyfile.

Last edited by Divinorum (2015-05-04 15:02:31)

Sikon

Member

Registered: 2011-04-26

Posts: 7

Re: Forensic detection of LUKS/two-factor authentication setup

What exactly do you mean by ‘two-factor authentication’? To me, a two-factor     
authentication involves two different steps in the process of authentication
of a user. For example the user might be asked to provide both a password and   
a code which is obtained via mobile application (or text message, special         
hardware…). For LUKS it is sufficient to provide one password even if the
container has two or more keyslots – that is why I would not call the presence 
of several keyslots ‘two-factor authentication’.                                 
                                                                                 
If you just want to know if there is more than one keyslot                       

cryptsetup luksDump <device>

                                         
is the magic.                                                                     
                                                                                 
Secondly, it does not matter how you input the secret – a 1024 byte long input 
via keyboard is just as valid as a file containing the same data. (The           
statement might be wrong, but that is how I understand cryptsetup’s man page     
and other resources.)

Divinorum

Member

Registered: 2011-08-16

Posts: 44

Re: Forensic detection of LUKS/two-factor authentication setup

To be more specific I was referring to whether or not an attacker would be able to detect if a keyfile is used.

Last edited by Divinorum (2015-05-04 15:02:16)

Sikon

Member

Registered: 2011-04-26

Posts: 7

Re: Forensic detection of LUKS/two-factor authentication setup

[…] I wanted to see if there was a way that LUKS may reveal if a keyfile or
passphrase is used. […]

You should consider posting this question to LUKS’/dm-crypt’s mailing list – I
assume there are more people who are able to answer that question.

xPm

Member

Registered: 2013-05-23

Posts: 2

Re: Forensic detection of LUKS/two-factor authentication setup

Couldn't you just say you've forgotten the passphrase ?

mhogomchungu

Member

Registered: 2013-03-29

Posts: 87

Re: Forensic detection of LUKS/two-factor authentication setup

[...]but I wanted to see if there was a way that LUKS may reveal if a keyfile or passphrase is used.

as far as LUKS is concerned,a keyfile is just a passphrase in a file.When you give any tool that manage LUKS based volume a keyfile,that tool may read the content of the keyfile and them pass them on as a passphrase and things will work.

truecrypt on the other hand treats keyfile and passphrases differently.If you create a truecrypt volume with a passphrase,you will have to open the volume with the passphrase,put the passphrase in a keyfile and then try to open the volume with the keyfile and the volume will not open.