soledad.git/client/changes/feature_6980_remove-mac-from-secrets-file, branch onepython [soledad] [pkg] fold in changes 2015-08-26T18:49:37+00:00 Ivan Alejandro ivanalejandro0@gmail.com 2015-08-26T18:42:21+00:00 20966f78951d734f100ed6a6a6feedd15dbe79e7 






[bug] remove mac from secrets file
2015-07-27T13:58:29+00:00

drebs
drebs@leap.se

2015-06-03T18:56:40+00:00

bbfb3bb44915004a70702030aa1d2f9336a60938

This is how a secret was stored in the secrets json file:

  * each secret is symmetrically encrypted amd MACed with keys derived from
    the user's passphrase.

  * the encrypted secrets dictionary is then MACed with another key derived
  * from the user's passphrase.

  * each key is derived using scrypt and a unique random salt.

There are disadvantages to this approach:

  * repeating scrypt many times is a waste of time.

  * an attacker could crack whichever has weaker parameters, if they get out
    of sync.

  * if an attacker can modify the secret in a way it is good to decrypt the
    database, then she can also modify the MAC.

The solution for this is:

  * completelly eliminate the MAC from the storage secrets file.

  * attempt to decrypt the database with whatever is got from the decryption
    of the secret. If that is wrong, report an error.

Closes #6980.





This is how a secret was stored in the secrets json file:

  * each secret is symmetrically encrypted amd MACed with keys derived from
    the user's passphrase.

  * the encrypted secrets dictionary is then MACed with another key derived
  * from the user's passphrase.

  * each key is derived using scrypt and a unique random salt.

There are disadvantages to this approach:

  * repeating scrypt many times is a waste of time.

  * an attacker could crack whichever has weaker parameters, if they get out
    of sync.

  * if an attacker can modify the secret in a way it is good to decrypt the
    database, then she can also modify the MAC.

The solution for this is:

  * completelly eliminate the MAC from the storage secrets file.

  * attempt to decrypt the database with whatever is got from the decryption
    of the secret. If that is wrong, report an error.

Closes #6980.