CN113839773B - LUKS key offline extraction method, terminal equipment and storage medium - Google Patents
LUKS key offline extraction method, terminal equipment and storage medium Download PDFInfo
- Publication number
- CN113839773B CN113839773B CN202110940565.8A CN202110940565A CN113839773B CN 113839773 B CN113839773 B CN 113839773B CN 202110940565 A CN202110940565 A CN 202110940565A CN 113839773 B CN113839773 B CN 113839773B
- Authority
- CN
- China
- Prior art keywords
- key
- length
- luks
- data
- memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000605 extraction Methods 0.000 title claims description 19
- 238000000034 method Methods 0.000 claims abstract description 14
- 238000009795 derivation Methods 0.000 claims abstract description 8
- 238000012216 screening Methods 0.000 claims abstract description 4
- 238000004590 computer program Methods 0.000 claims description 19
- 238000005516 engineering process Methods 0.000 description 4
- 239000013598 vector Substances 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 150000003839 salts Chemical class 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a method for extracting a LUKS key offline, a terminal device and a storage medium, wherein the method comprises the following steps: s1: extracting a hash check value hash_data of a main key and a length key_length of the main key from a head of the LUKS encrypted volume; s2: loading a memory mirror image, searching all data which accords with the length key_length with the length of the master key from the memory mirror image according to the length key_length of the master key, and forming a set K; s3: traversing each element in the set K, calculating the information entropy of each element, screening the elements in the set K, and removing the elements with the information entropy larger than the information entropy threshold value in the set K; s4: and traversing each element of the filtered set K, carrying out key derivation on each element through a PBKDF2 algorithm, and taking the corresponding element when the key derivation result is consistent with the extracted hash check value hash_data as a master key for decryption. The invention can scan all effective LUKS encryption keys in the memory, and is practically used for data decryption, thereby solving the difficulty of evidence obtaining.
Description
Technical Field
The present invention relates to the field of disk encryption, and in particular, to a method for offline extracting a LUKS key, a terminal device, and a storage medium.
Background
LUKS (Linux Unified Key Setup) is one of the common disk encryption technologies under the Linux system, currently, two versions of the LUKS1 and the LUKS2 are mainly used for all versions of Linux, related applications are available on an Android platform, and the system also relates to automobiles and internet of things equipment, and the application range is wide. The LUKS has the characteristics that: (1) Supporting access of multiple users and passwords to the same device; (2) The encryption key is independent of the password, and can change the password without re-encrypting the data; (3) A data segmentation technology is adopted to store the encryption key, so that the security of the key is ensured.
Currently, there is a technology of decrypting LUKS in the market, but there is a limitation that only a manner of encrypting a known password or key file is supported, and for a system disk encrypted by using a TPM encryption chip, there is no related technology in the market for decrypting physical data of the system disk.
Disclosure of Invention
In order to solve the problems, the invention provides a LUKS key offline extraction method, a terminal device and a storage medium.
The specific scheme is as follows:
An offline extraction method of a LUKS key comprises the following steps:
S1: extracting a hash check value hash_data of a main key and a length key_length of the main key from a head of the LUKS encrypted volume;
S2: loading a memory mirror image, searching all data which accords with the length key_length with the length of the master key from the memory mirror image according to the length key_length of the master key, and forming a set K;
s3: traversing each element in the set K, calculating the information entropy of each element, screening the elements in the set K, and removing the elements with the information entropy larger than the information entropy threshold value in the set K;
s4: and traversing each element of the filtered set K, carrying out key derivation on each element through a PBKDF2 algorithm, and taking the corresponding element when the key derivation result is consistent with the extracted hash check value hash_data as a master key for decryption.
Further, the information entropy threshold is 20.
The LUKS key off-line extraction terminal device comprises a processor, a memory and a computer program stored in the memory and capable of running on the processor, wherein the steps of the method according to the embodiment of the invention are realized when the processor executes the computer program.
A computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of the method described above for embodiments of the present invention.
By adopting the technical scheme, the invention can scan all effective LUKS encryption keys in the memory, is actually used for data decryption, and solves the evidence obtaining problem.
Drawings
FIG. 1 is a diagram showing a disk structure of a LUKS1 version in accordance with an embodiment of the present invention.
Fig. 2 is a diagram showing a disk structure of the version LUKS2 in this embodiment.
Fig. 3 shows a flow chart of the method of this embodiment.
Detailed Description
For further illustration of the various embodiments, the invention is provided with the accompanying drawings. The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate embodiments and together with the description, serve to explain the principles of the embodiments. With reference to these matters, one of ordinary skill in the art will understand other possible embodiments and advantages of the present invention.
The invention will now be further described with reference to the drawings and detailed description.
Embodiment one:
The disk structures of two versions of LUKS, LUKS1 and LUKS2, are shown in fig. 1 and 2, respectively. As can be seen from fig. 1, the LUKS1 encrypted Volume is mainly composed of three major parts, namely a Volume Header (Volume Header), an encrypted master key area (Keyslots area), and an encrypted data area (ENCRYPTED VOLUME DATA). As can be seen from fig. 2, the LUKS2 encrypted Volume is mainly composed of four major parts, namely a Volume Header (Volume Header), a JSON metadata area (JSON area), an encryption master key area (Keyslots area), and an encrypted data area (ENCRYPTED VOLUME DATA).
The encryption process of the LUKS mainly includes three steps of system initialization, encrypting a master key, and encrypting data using the master key.
1. System initialization
When the system receives a command to encrypt the volume for LUKS, it performs the following steps:
(1) Randomly generating a set of vectors as a master key (MASTER KEY), typically 16 or 32 bytes in length;
(2) Randomly generating a group of vectors as an interference value Salt, wherein the length of the vectors is 32 bytes;
(3) Selecting a Hash algorithm and iteration times, deriving a PBKDF2 key for the master key to obtain a Hash check value of the master key, storing the Hash check value in a volume header structure, and judging whether the obtained master key is correct or not when decrypting;
2. Encryption master key
(4) Inputting a password by a User, and deriving a PBKDF2 Key for the User password to obtain a User Key (User Key);
(5) AF-Split data expansion is carried out on the master key to obtain SPLIT MASTER KEY;
(6) Performing data encryption processing on SPLIT MASTER KEY by using a user key to obtain SPLIT MASTER KEY ciphertext, and storing the result in a corresponding position in the volume;
3. Encrypting data using master key
(7) Directly encrypting plaintext data by using a master key as an encryption key, and setting an encryption algorithm and a mode in a volume header;
(8) The master key is destroyed.
Therefore, the master key is not affected by the user password, and when the user modifies, adds or deletes the password, the master key is not changed along with the user password, and plaintext data is not re-encrypted, so that when the master key is obtained, the disc encrypted data can be directly decrypted by bypassing the password.
The study shows that under the condition of decrypting and mounting the LUKS encrypted volume, the physical memory contains the decrypted master key. Therefore, after the memory mirror image is obtained offline, the whole physical memory mirror image can be scanned, and the main key structure is extracted and recombined, so that the offline decryption of the LUKS is realized, and the password bypass effect is achieved.
Based on the above principle, the embodiment of the invention provides a method for offline extracting a LUKS key, as shown in fig. 3, which comprises the following steps:
S1: extracting a hash check value hash_data of a main key and a length key_length of the main key from a head of the LUKS encrypted volume;
S2: loading a memory mirror image, searching all data which accords with the length key_length with the length of the master key from the memory mirror image according to the length key_length of the master key, and forming a set K;
s3: traversing each element in the set K, calculating the information entropy of each element, screening the elements in the set K, and removing the elements with the information entropy larger than the information entropy threshold value in the set K;
s4: and traversing each element of the filtered set K, carrying out key derivation on each element through a PBKDF2 algorithm, and taking the corresponding element when the key derivation result is consistent with the extracted hash check value hash_data as a master key for decryption.
The information entropy of the master key is found by experimental statistics to be mostly 20 or less, and therefore, the information entropy threshold value is set to 20 in this embodiment.
The embodiment of the invention provides a LUKS key offline extraction method based on memory data search on the basis of carrying out deep research on a main key structure and LUKS data encryption logic.
Embodiment two:
the invention also provides a terminal device for extracting the LUKS key offline, which comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the steps in the method embodiment of the first embodiment of the invention are realized when the processor executes the computer program.
Further, as an executable scheme, the LUKS key offline extraction terminal device may be a computing device such as a desktop computer, a notebook computer, a palm computer, and a cloud server. The LUKS key offline extraction terminal device may include, but is not limited to, a processor, a memory. It will be appreciated by those skilled in the art that the above-described composition structure of the LUKS key offline extraction terminal device is merely an example of the LUKS key offline extraction terminal device, and does not constitute limitation of the LUKS key offline extraction terminal device, and may include more or fewer components than those described above, or may combine some components, or different components, for example, the LUKS key offline extraction terminal device may further include an input/output device, a network access device, a bus, and the like, which is not limited by the embodiment of the present invention.
Further, as an executable scheme, the Processor may be a central processing unit (Central Processing Unit, CPU), other general purpose Processor, digital signal Processor (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components, etc. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, which is a control center of the LUKS key off-line extraction terminal device, and connects the respective parts of the entire LUKS key off-line extraction terminal device using various interfaces and lines.
The memory may be used to store the computer program and/or module, and the processor may implement various functions of the LUKS key offline extraction terminal device by running or executing the computer program and/or module stored in the memory, and invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for a function; the storage data area may store data created according to the use of the cellular phone, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart memory card (SMART MEDIA CARD, SMC), secure Digital (SD) card, flash memory card (FLASH CARD), at least one disk storage device, flash memory device, or other volatile solid-state storage device.
The present invention also provides a computer readable storage medium storing a computer program which when executed by a processor implements the steps of the above-described method of an embodiment of the present invention.
The module/unit integrated by the LUKS key off-line extraction terminal device may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a separate product. Based on such understanding, the present invention may implement all or part of the flow of the method of the above embodiment, or may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a software distribution medium, and so forth.
While the invention has been particularly shown and described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (4)
1. The LUKS key off-line extraction method is characterized by comprising the following steps of:
S1: extracting a hash check value hash_data of a main key and a length key_length of the main key from a head of the LUKS encrypted volume;
S2: loading a memory mirror image, searching all data which accords with the length key_length with the length of the master key from the memory mirror image according to the length key_length of the master key, and forming a set K;
s3: traversing each element in the set K, calculating the information entropy of each element, screening the elements in the set K, and removing the elements with the information entropy larger than the information entropy threshold value in the set K;
s4: and traversing each element of the filtered set K, carrying out key derivation on each element through a PBKDF2 algorithm, and taking the corresponding element when the key derivation result is consistent with the extracted hash check value hash_data as a master key for decryption.
2. The LUKS key offline extraction method of claim 1, wherein: the information entropy threshold is 20.
3. An LUKS key off-line extraction terminal device, characterized in that: comprising a processor, a memory and a computer program stored in the memory and running on the processor, which processor, when executing the computer program, carries out the steps of the method according to any one of claims 1-2.
4. A computer-readable storage medium storing a computer program, characterized in that: the computer program implementing the steps of the method according to any one of claims 1 to 2 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110940565.8A CN113839773B (en) | 2021-08-17 | 2021-08-17 | LUKS key offline extraction method, terminal equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110940565.8A CN113839773B (en) | 2021-08-17 | 2021-08-17 | LUKS key offline extraction method, terminal equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113839773A CN113839773A (en) | 2021-12-24 |
| CN113839773B true CN113839773B (en) | 2024-07-19 |
Family
ID=78960560
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110940565.8A Active CN113839773B (en) | 2021-08-17 | 2021-08-17 | LUKS key offline extraction method, terminal equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113839773B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115119016B (en) * | 2022-06-29 | 2024-06-18 | 北京精确指向信息技术有限公司 | Information data encryption algorithm |
| CN118536140A (en) * | 2024-07-25 | 2024-08-23 | 中电信量子信息科技集团有限公司 | Data protection method, data protection device, computer device and storage medium |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111756533B (en) * | 2014-08-29 | 2023-07-04 | 维萨国际服务协会 | System, method and storage medium for secure password generation |
| US10015147B2 (en) * | 2014-10-22 | 2018-07-03 | Visa International Service Association | Token enrollment system and method |
| CN106027261B (en) * | 2016-05-18 | 2018-12-21 | 厦门大学 | FPGA-based L UKS authentication chip circuit and password recovery method thereof |
| DE102017106042A1 (en) * | 2016-12-22 | 2018-06-28 | Fujitsu Technology Solutions Intellectual Property Gmbh | A method for safely booting up a computer system, and an assembly comprising a computer system and an external storage medium connected to the computer system |
| CN109033869A (en) * | 2018-07-04 | 2018-12-18 | 深圳虚觅者科技有限公司 | Encrypted file system hanging method and device |
| KR102325986B1 (en) * | 2020-01-22 | 2021-11-12 | 네이버클라우드 주식회사 | Method and system for dinamic application of storage encryption |
| CN112800442B (en) * | 2021-01-05 | 2024-10-29 | 北京小米松果电子有限公司 | Method, device and medium for detecting encrypted file |
-
2021
- 2021-08-17 CN CN202110940565.8A patent/CN113839773B/en active Active
Non-Patent Citations (2)
| Title |
|---|
| BetaMao's Notes.基于内存分析的全盘加密破解.https://blog-archive.betamao.me/2019/10/27.2019,正文第10-11页. * |
| LUKS加密卷的离线解密技术分析;钱镜洁 等;信息网络安全(第09期);正文第1-2节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113839773A (en) | 2021-12-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10044703B2 (en) | User device performing password based authentication and password registration and authentication methods thereof | |
| CN112818380A (en) | Method, device, equipment and system for backtracking processing of business behaviors | |
| US10255450B2 (en) | Customer load of field programmable gate arrays | |
| CN113839773B (en) | LUKS key offline extraction method, terminal equipment and storage medium | |
| MX2007008540A (en) | Method and portable storage device for allocating secure area in insecure area. | |
| JP5392439B2 (en) | ENCRYPTION SEARCH DATABASE DEVICE, ENCRYPTION SEARCH DATA ADDITION / DELETE METHOD AND ADDITION / DELETE PROGRAM | |
| CN107528690A (en) | A kind of symmetrical encryption and decryption method and systems of SM4 for accelerating platform based on isomery | |
| JP2018533054A (en) | System and method for preventing data loss while maintaining confidentiality | |
| CN112074889A (en) | Secret search device and secret search method | |
| CN109547201A (en) | A kind of encryption method of root key, computer readable storage medium and terminal device | |
| CN115422570B (en) | Data processing method and system for distributed storage | |
| JP6352441B2 (en) | Anonymizing streaming data | |
| US20220209945A1 (en) | Method and device for storing encrypted data | |
| US20180123789A1 (en) | Apparatus and method for generating a key in a programmable hardware module | |
| Paterson et al. | Cold boot attacks on NTRU | |
| CN112800467B (en) | Online model training method, device and equipment based on data privacy protection | |
| CN112000978A (en) | Private data output method, data processing system, and storage medium | |
| CN108256342B (en) | Encryption method and device and decryption method and device of Shader file | |
| US11455404B2 (en) | Deduplication in a trusted execution environment | |
| CN111339562B (en) | Order preserving/de-ordering ciphertext recovery method and device | |
| JP6672451B2 (en) | Encrypted search index merge server, encrypted search index merge system, and encrypted search index merge method | |
| CN111104693A (en) | Android platform software data cracking method, terminal device and storage medium | |
| KR101699176B1 (en) | Hadoop Distributed File System Data Encryption and Decryption Method | |
| CN112052432A (en) | Terminal device authorization method and device | |
| CN109560927B (en) | Equipment fingerprint implementation method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |