search

strlcat / tfcrypt

tfcrypt -- high security Threefish encryption tool.
Other
10 stars 1 forks source link

Feature suggestion: Skip bytes at the beginning of the key #7

Closed phantomcraft closed 2 years ago

phantomcraft commented 2 years ago

In cryptsetup (currently 2.4.3) there is an interesting option:

       --keyfile-offset value
              Skip value bytes at the beginning of the key file.  Works with all commands that accept key files.

When used, the program skip X bytes defined by user when reading the key file.

It would be interesting for luring an adversary a little bit when trying to find a valid key for decryption.

strlcat commented 2 years ago

There's iotool or tfcrypt -P functionality to get contents out of files at specified offset/length. Example:

% tfcrypt -R 1k k.bin
% ls -l k.bin 
-rw-r--r-- 1 rys rys 1024 Feb  1 19:49 k.bin
% tfcrypt -qP -O iseek=516,count=256 k.bin | tfcrypt -e -S mac -c rand -O trunc -k - loudp2a.pcap loudp2a.out
tfcrypt: read: 1223590 (1.17M), XTS encrypted 1223846 (1.17M) bytes, written 1223846 (1.17M) bytes, (202489410 (193.11M) B/s), time 00.0060
% tfcrypt -qP -O iseek=516,count=256 k.bin | tfcrypt -d -M mac -m -c head -k - loudp2a.out 
tfcrypt: signature is good
tfcrypt: read: 1223846 (1.17M), XTS decrypted 1223590 (1.17M) bytes, written 0 (0.00B) bytes, (193086634 (184.14M) B/s), time 00.0063
% tfcrypt -qP -O iseek=517,count=256 k.bin | tfcrypt -d -M mac -m -c head -k - loudp2a.out 
tfcrypt: signature is BAD: wrong password, key, mode, or file is not signed
tfcrypt: read: 1223846 (1.17M), XTS decrypted 1223590 (1.17M) bytes, written 0 (0.00B) bytes, (160365661 (152.94M) B/s), time 00.0076

Unless there is REAL need in such situation when single process must obtain key this way, I will implement it. Sorry, but I don't see an urgent need in implementing it now. Closing.

phantomcraft commented 2 years ago

In sksum two new options could be added:

One for specifying the offset starting from the beginning of the file/block device and other for specifying the size/amount of data (bytes) to be processed.

My suggestions.

strlcat commented 2 years ago

In sksum two new options could be added:

One for specifying the offset starting from the beginning of the file/block device and other for specifying the size/amount of data (bytes) to be processed.

My suggestions.

This is already implemented:

sksum -O iseek=NR infile to seek from offset zero by NR bytes in infile, sksum -O count=NR infile to hash only NR bytes from infile sksum -O iseek=NRX,count=NRY infile to seek from offset zero by NRX bytes in infile and proceed to hash from that point NRY bytes from same infile.

There is no need to implement anything. Also, please see help page by typing tfcrypt -h.

phantomcraft commented 2 years ago

Sorry Rys, I didn't know that -O switches are valid to sksum.

strlcat commented 2 years ago

No worries. sksum and other embedded tools accept most of tfcrypt options, as said in help page printed by sksum -h. However there is limitation: only options valid for current tool are accepted. Others can either be ignored, or misinterpreted, and there is no any guarantee for using the wrong ones. Most of them are included into help page of relevant tool. Maybe I need to rephrase the footer somehow, looks awkward...