Crypto roadmap #1044
Comments
|
https://news.ycombinator.com/item?id=11634215 Rdedup – backup deduplication with asymetric encryption (in Rust) https://github.com/fpgaminer/preserve/blob/master/crypto-spec.md - document describes the cryptography used by Preserve, an encrypted backup system written in Rust. |
|
#1044 (comment) : I don't quite see the point of per-chunk keys. I derived a similar (and somewhat obvious) scheme before for deterministic calculation of random IVs, and there I see the point, not so much for entire keys (assuming that session keys are already used). |
|
Discussion/analysis of keyblob (keyfile, repokey) saving/encryption: #1579 |
|
Python 3.6 has SHA-3 and the scrypt KDF. A set of symmetric modes ie. were the same ID key results in the same chunk IDs, but which use different encryption (ie. no encryption and some encryption) would open some interesting possibilities. |
|
Yes. I've read #1562, but I don't think the mechanism is ripe for 1.1. And given how slowly the field (of hash functions) evolves I'm not sure a more flexible mechanism is needed -- SHA-2 was introduced in ~2000ish, BLAKE in ~2013ish. The mechanism we have (key types) "just works" and is already in place (even with a nice error message - I checked that). |
|
[This is not a response, just a statement] What's absolutely clear is that there will be no way that borg has a variable feature set depending on some library version (i.e. "Lol, you can't read this repository on this computer, because your OpenSSL is too old."). That's just completely unacceptable for an archiving tool. |
|
Throwing in some info/opinion about AES-GCM… https://twitter.com/tqbf/status/760907360319660032 (BTW, but still better than Encrypt-and-MAC, https://github.com/borgbackup/borg/issues/747…) —— (@rugk: I generally value your input, but please don't bump tickets just to post previously discussed links again, see #45 |
|
Can one summarize the showstopper for public key encryption (GPG like) or is this discussed in another issue? Reason: I don't want to provide a passphrase for headless backup jobs. |
|
@gthieleb you should look at #672 (comment) |
|
When changing something about the keyfile, see whether the keyfile encryption can be fixed at the same time.
From #3585 (comment) |
|
What about considering a SIV scheme for future AE(AD) constructions? This would immediately resolve any risk of nonce reuse without the need to maintain any kind of nonce state etc. Because the current situation is quite unsatisfying. While it is pretty easy to use only one device per repo, the advise
is simply not practical unless you use borg for absolute emergency recoveries only. |
|
aes-gcm-siv looks pretty nice and quite fast and the spec reads like made for our use case - thanks for the pointer! but that is rather new and not present in openssl (yet?). |
I'm no OpenSSL expert, but according to the changelog SIV was implemented (search for SIV). The API should be something like On the age of SIV: There are multiple flavors of SIV. The oldest construction is the classic AES-SIV (which uses AES-CMAC as MAC) was published 2007. Then there is AES-GCM-SIV which is much newer. Or AES-SIV-PMAC as implemented by miscreant. However since SIV is a generic construction, you're not even limited to AES. E.g. jedisct1 (the author of libsodium) has also created a trivial XChaCha20-Blake2b-SIV implementation (repo), which could be an option if you decide to opt-in for libsodium. |
|
From the website:
…does not sound very confident though and rather like "if you cannot use anything else, do this, but we do not recommend it"… |
|
SIV guarantees the following:
libsodium and it's documentation are designed for people who don't know much about encryption – and therefore this warning is absolutely necessary: even the simple knowledge of data repetition can be enough to break some poorly designed protocols. However whether this is a problem or not completely depends on the protocol/security model – in some cases it may even be desirable to have a deterministic bidirectional plaintext↔︎ciphertext mapping (e.g. the file names in an encrypting filesystem). And when it comes to Borg this also should be completely fine, because a malicious server also can easily detect plaintext repetitions (and much more like access patterns etc.). |
|
@KizzyCode i can't find aes-gcm-siv in openssl, can you point me to the declaration or implementation via a URL? |
|
@rugk i read the SIV RFCs and they make clear that using SIV with a rarely-repeating "nonce" is of course much better than using SIV with a fixed "nonce". that sounds pretty perfect for what we need:
i also liked that siv is able to take a vector of variable length strings and can merge them together for the AD part of AEAD. the older implementations seem to be a bit slower than aes-gcm-siv, so that's why the latter might be nice for us. |
|
@ThomasWaldmann There are traces of SIV in OpenSSL's documentation (e.g. Regarding the performance considerations: while AES-GCM-SIV is faster |
|
I'll edit here a bit and remove outdated and already-done stuff. |
|
Would be cool if PR #6463 could get some review. |
Coordination and high-level discussion ticket
Note: edited / updated 2022-02 by TW
The text was updated successfully, but these errors were encountered: