Opened at 2013-11-12T00:21:40Z
Last modified at 2015-12-14T22:21:14Z
#2100 new enhancement
passphrase-encrypt the aliases file
Reported by: | daira | Owned by: | daira |
---|---|---|---|
Priority: | normal | Milestone: | undecided |
Component: | code-frontend-cli | Version: | 1.10.0 |
Keywords: | aliases security capleak usability | Cc: | dawuud |
Launchpad Bug: |
Description
This would help people who are concerned about the risk of an aliases file being read by an attacker. It would probably use scrypt or similar to drive the key from the passphrase.
Change History (10)
comment:1 Changed at 2014-08-07T01:04:31Z by dawuud
comment:2 Changed at 2014-08-07T01:06:30Z by dawuud
- Cc dawuud added
- Owner set to dawuud
comment:3 Changed at 2014-08-07T14:36:22Z by daira
I don't think we want to add a dependency on NaCl. scrypt is a fine choice of PBKDF, though.
comment:4 Changed at 2014-10-19T11:06:26Z by dawuud
If not NaCl? secretBox then what do you suggest?
comment:5 Changed at 2014-12-02T19:51:17Z by warner
- Component changed from code-frontend to code-frontend-cli
comment:6 follow-up: ↓ 9 Changed at 2015-12-10T07:11:37Z by dawuud
If we are going to encrypt the private aliases file shouldn't we also use a message authenticating code, perhaps an HMAC?
comment:7 Changed at 2015-12-10T14:47:28Z by dawuud
a rough sketch of the cryptos here combining scrypt and an hmac construction with aes: https://github.com/david415/tahoe-lafs/tree/2100.encrypt-aliases-file.0
though i think it's the wrong aes mode; shouldn't it be a stream cipher so that the input can be any length? you can see my unit tests fail because the plaintext length is not a multiple of 16. wtf.
comment:8 follow-up: ↓ 10 Changed at 2015-12-10T20:42:24Z by dawuud
- Owner changed from dawuud to daira
i added padding and the unit tests pass now.
it occurred to me that typing the passphrase every time an alias is used would get annoying. even more so with key stretching. does resolving this ticket require making an agent?
comment:9 in reply to: ↑ 6 Changed at 2015-12-14T22:14:45Z by daira
Replying to dawuud:
If we are going to encrypt the private aliases file shouldn't we also use a message authenticating code, perhaps an HMAC?
Yes, we should use authenticated encryption. Encrypt-then-HMAC is fine for that.
I would really like to help out with this ticket. Would using NaCl?'s SecretBox? like this work? https://github.com/david415/hidden-tahoe-backup/blob/master/HiddenTahoeBackup/secretBox.py
Should I be using scrypt here instead of sha256?