Feature request: Authenticated encryption
Closed this issue · 4 comments
It would be nice to have authenticated encryption for every chunks, e.g., using libsodium.
https://github.com/jedisct1/libsodium
Reference:
http://www.cryptopp.com/wiki/Authenticated_Encryption
http://en.wikipedia.org/wiki/Authenticated_encryption
Also, please take a look at s3ql encryption for each block
http://www.rath.org/s3ql-docs/impl_details.html
and tarsnap
http://www.tarsnap.com/technical.html
Authenticated encryption is exactly what Frost is doing (although I didn't know about libsodium, thanks!) . A master key is created first time from a large random pool of entropy.
Then I create an elliptic curve asymmetric key pair used to encrypt the master key and save it encrypted in the index. The key required to decrypt it is based on your password - via PBKDF2.
This master key is then used to generate per block keys for encrypting them.
These individual keys are all different.
Block are not chunks, because you can have chunks of very few bytes and it's not efficient. Block are fixed size, so we don't have to add encryption header for each variable length block but one per multichunk, so it's more space efficient.
Since the hash of the data is used for creating the individual keys, it provides data integrity at the same time.
Authenticated encryption is doing exactly the same thing, Frost approach is using "MAC then Encrypt" scheme.
Actually, description in S3QL is almost exactly what Frost is doing.
I knew about tarsnap, but since it's a "hostile" service, I don't want to know the inner working of what they do.
Well, I am not a cryptographer or an experienced developer. So let me believe you in this.
However, as far as I understand, programming encryption is hard and prone to errors. That's the main reason to use a popular and well-audited encryption library than doing it yourself (e.g., number of watches and forks of libsodium on its github page). Yeah, you are using libcrypto from OpenSSL but also including a lot of your own codes, which I do not have the expertise to review. Being popular is not the same as good but at least its code is seen by a lot of people. How many people have looked at the encryption code of Frost? Maybe only you. That makes me particularly uncomfortable with using Frost. I will not use it for real backup for now.
However, I do know changing encryption scheme would be a lot of works. So I would leave it to your preference.
Frost feature set is really impressive and promising.
Actually, when compiling Frost, it uses by default OpenSSL's implementation (and not my implementation since it's slower - but easier to read and debug). My encryption code is tested against FIPS test suite (and I guess OpenSSL's code too ?).
From my own implementation that's not in OpenSSL directly, I'm using PBKDF2 (and the code is almost 1:1 what is in the specification found in PKCS#5 v2.0, with all tests vectors passing). All other algorithms are plain OpenSSL/libcrypto calls.
One thing to understand with cryptographic code is that 99% of the time, the "bug/issue" are in the code using the cryptographic primitives, not in the primitives themselves with are very well tested & verified.
Using libsodium (or cryptopp which I'm more familiar with) would not improve much the security (and probably make it worse) because I could make implementation error while using their primitives because I'm not familiar enough with them and can make beginner's mistake.
In all cases, I understand your concerns, but I don't think I'll change the code to use a code I'm not used too (and even more the crypto code).