Skip to content

wg/arc

Repository files navigation

arc - secure file archiver

arc is a file archiver designed to manage secure and stable archives suitable for storage and transmission. arc archives are standard tar archives compressed with gzip and then encrypted with the XChaCha20+ Poly1305 authenticated encryption mode.

arc is distributed as open source code and static executables with no external dependencies.

Security

arc archives are designed for secure storage and transmission and must not allow decryption or tampering by an attacker without the appropriate encryption key.

However, arc has not been subject to peer review and the specific algorithm combinations used have not been standardized.

arc archives are encrypted with XChaCha20 + Poly1305 using the same algorithm as NaCl's secretbox but substituting XChaCha20 for XSalsa20. This algorithm is similar to the ChaCha20 + Poly1305 AEAD mode defined in RFC 7539 but uses a longer random nonce and does not include lengths in the authentication tag computation.

The XChaCha20 + Poly1305 key is derived in one of three ways:

  1. from a password using the Argon2 KDF
  2. from a static-ephemeral ECDH key exchange
  3. from a random key split into n shards

See the Archive sections below for details of each.

Stability

arc archives are designed for long-term storage and their content should be extractable using hardware and software that does not exist at the time the archive was created.

A decrypted archive is a standard gzip-compressed tar archive for which there exist a wide variety of open source tools & libraries capable of reading and extracting their contents. Should that fail the tar and gzip formats are well documented and reasonably simple to implement.

Decryption is more difficult due to rapid advances in the state of the art and arc's desire for strong security. However portable open source C implementations of each algorithm are available, and the implementations arc uses are written in Go, a language designed for long-term backwards compatibility.

See the Compatibility section which follows for important caveats and read FORMAT for the specific disk format arc uses as a header for the encrypted tar+gzip stream.

Compatibility

arc releases follow the semantic versioning scheme and the major version will be incremented when the on-disk format changes.

Each release of arc will support a single version of the on-disk format and any security flaws will cause a new release with the version incremented and support for the flawed method dropped.

This means future versions of arc may not be capable of extracting old archives so copies of arc in binary and/or source form should be kept alongside the archives themselves.

Password Archives

A password, cost parameters, and cryptographically secure random salt are used as input to the Argon2 password hashing function to derive the encryption key used to encrypt & decrypt the archive.

Curve448 Archives

A Curve448 key pair is generated via arc's --keygen option.

Encryption uses the public key and an ephemeral private key as input to the X448 ECDH key exchange function and the resulting shared secret is hashed with BLAKE2b to derive the encryption key. The corresponding ephemeral public key is embedded in the archive and used with the static private key to decrypt the archive.

This method is suitable for transmitting archives to another party or for use on a system that may become compromised after the archive is created.

Shard Archives

The encryption key is cryptographically secure random bytes that are split into n shards using Shamir's Secret Sharing algorithm. One archive is generated for each shard and k must be present to recreate the key and decrypt the archive.

This method is most suitable for small archives that will be stored or transmitted via multiple channels where k - 1 can be compromised with no loss in archive security.

License

Copyright (C) 2016 Will Glozer.

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

Acknowledgments

arc contains code from a number of open source projects including Yawning Angel's chacha20, poly1305, and x448 libraries, Dmitry Chestnykh's blake2b, Coda Hale's sss, Andrw Ekstedt's argon2, Klaus Post's optimized compression packages and Jesse van den Kieboom's go-flags. See NOTICE for license details.

Cryptography Notice

This distribution includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. See http://www.wassenaar.org/ for more information.

The U.S. Government Department of Commerce, Bureau of Industry and Security (BIS), has classified this software as Export Commodity Control Number (ECCN) 5D002.C.1, which includes information security software using or performing cryptographic functions with asymmetric algorithms. The form and manner of this distribution makes it eligible for export under the License Exception ENC Technology Software Unrestricted (TSU) exception (see the BIS Export Administration Regulations, Section 740.13) for both object code and source code.