You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 22, 2021. It is now read-only.
In #607 a concern was raised by @ehuggett about an insufficient number of iterations for the PBKDF2 function as used for processing the authentication password. This key is not used for encryption if users think so.
I think it is realistic to assume that the share URL (file.url) can be compromised at some point (e.g. because a conversation/email was leaked). If the KDF output is leaked, then 100 iterations is not sufficient.
For others wondering, the password is only used for authentication to the server, it is not used for encryption. So if (1) the URL gets leaked and (2) the server storage gets leaked, then the password has no use.
The encryption details are described at https://github.com/mozilla/send/blob/master/docs/encryption.md, but it is unfortunately rather vague about the exact parameters (hash function, iterations) and the data that is actually sent and stored on the server. Suggestion: update that document such that an analysis can be done without requiring digging through the source code.
The fixed nonce occurs because KeyChain is constructed with no parameters. This fixed nonce is subsequently sent over the websocket which is presumably stored in plain on the server, see https://github.com/mozilla/send/blob/master/app/fileSender.js. I verified with a debugger that the nonce is fixed.
So assuming that:
The server storage is compromised and leaks metadata (nonce, verifyHash).
The URL is leaked
The analysis is correct and a fixed nonce is stored together with verifyHash
Then an attacker can bruteforce the original password due to the very low iteration count.
The text was updated successfully, but these errors were encountered:
In #607 a concern was raised by @ehuggett about an insufficient number of iterations for the PBKDF2 function as used for processing the authentication password. This key is not used for encryption if users think so.
I think it is realistic to assume that the share URL (file.url) can be compromised at some point (e.g. because a conversation/email was leaked). If the KDF output is leaked, then 100 iterations is not sufficient.
For others wondering, the password is only used for authentication to the server, it is not used for encryption. So if (1) the URL gets leaked and (2) the server storage gets leaked, then the password has no use.
The encryption details are described at https://github.com/mozilla/send/blob/master/docs/encryption.md, but it is unfortunately rather vague about the exact parameters (hash function, iterations) and the data that is actually sent and stored on the server. Suggestion: update that document such that an analysis can be done without requiring digging through the source code.
The client code that uses the password is here:
send/app/keychain.js
Lines 110 to 120 in 3b8dbfd
The server code is right here:
send/server/middleware/auth.js
Lines 12 to 32 in 63ddbee
If I am not mistaken, the data flow when an a password is set is as follows:
The fixed nonce occurs because
KeyChain
is constructed with no parameters. This fixed nonce is subsequently sent over the websocket which is presumably stored in plain on the server, see https://github.com/mozilla/send/blob/master/app/fileSender.js. I verified with a debugger that the nonce is fixed.So assuming that:
Then an attacker can bruteforce the original password due to the very low iteration count.
The text was updated successfully, but these errors were encountered: