-
Notifications
You must be signed in to change notification settings - Fork 257
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
defuse.ca Security Audit Results #90
Labels
Comments
Threat model published at https://nuetzlich.net/gocryptfs/threat_model/ |
Looks good! |
Oh, thanks for looking!! |
@rfjakob Thanks for your work and taking the audit report seriously. I just wanted to know whether 2.1 and 2.3 above are being dealt with or are considered acceptable? 😄 |
Not working on these, no. I consider them as acceptable limitations. |
Ok, thank you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Taylor Hornby of defuse.ca has release a security audit of gocryptfs: https://defuse.ca/audits/gocryptfs.htm
This ticket tracks and discusses the findings (section 2 in the audit)
> 2.1 File-Level Ciphertext Malleability
Get rid of allow_other? Still, defending about root-level access is not really feasible.
> 2.2 File ID Poisoning / PoC 5
Defense for PoC 5 is in the works. Empty files that contain nothing but the header will be overwritten (destroying the poisoned file ID)
Done in 14038a1 .
> 2.3 Directory IV Poisoning / PoC 7
Create
gocryptfs.diriv
when the first file is created? Not sure if the extra complexity of doing that is worth it, as the impact is low.> 2.4 Same Key Used for Both GCM and EME Modes
gocryptfs v1.3 will derive separate key using HKDF (developed in the hkdf branch)
Done, the hkdf branch has been merged to master.
> 2.5 No Integrity Protection for File Permissions
Works as designed but should be documented.
> 2.6 Pushing the Limits of GCM
The audit agrees with my calculations that the 128-bit IVs that are used by gocryptfs are safe up to petabytes of data.
Still, we may switch to AES-GCM-SIV once it is available and fast.
The text was updated successfully, but these errors were encountered: