Looks useful, although it probably will have problems with all kind of applications that do anything more than just writing new files or directly appending to old ones (e.g. those that add to files by writing the changed version to disk and then swapping it in place -> old, already encrypted parts of the changed file would then be encrypted again)
Perhaps I'm missing something obvious, but why can't the filename be encrypted as well?
(So you have public key 0xDEAFBEEF; you want to write a file named 'secret.txt' with the contents 'We attack at dawn'. OweFS encrypts 'We attack at dawn' to 010101 and writes that to 'secret.txt'. But why couldn't it have encrypted the contents to 010101 and encrypted the filename 'secret.txt' to 111000, and then written a file named 111000.encrypted with the contents 010101? Then when the owner of 0xDEAFBEEF wanted to read it, he simply decrypts 111000.encrypted to 'secret.txt' and decrypts its content 010101 to 'We attack at dawn.')
Firstly, let's assume that directories aren't encrypted. Otherwise this would be a real PITA - just to locate /foo/bar/baz.txt you'd have to decrypt each component of 001001/011101/110101.encrypted separately.
More importantly, the decrypting software has no way to encrypt things, only decrypt them. So to read 'secret.txt' you can't just encrypt 'secret.txt' to '111000.encrypted'. Instead, you have to iterate through the entire directory listing and decrypt every single filename, until you find one that decrypts to 'secret.txt'.
Obviously this gets pretty bad with even moderately-sized directories. I assume this is why the project doesn't encrypt filenames.
If you're reading files rather than writing them, then you must be decrypting them and in possession of the private key, which means you are permitted access to everything; so you could cache all the decryptions. Initial reads might be more expensive to locate, but then free. Also, how many cycles could it take to decrypt the few hundred or few thousand characters that could possibly make up a full filepath?
Linux 4.1+ with ext4 supports filesystem level encryption, and it encrypts filenames. The implementation seems very complex, I'm not sure how mature this feature is. I think the state is probably "not production ready", but I don't know very much about this.
This can't be used for assymetric encryption. The reason you can still see files and filenames on normally encrypted drives is because your OS holds the encryption key AND decryption key in memory (they're actually the same because it's using symmetric encryption). The problem with the assymetric case is that you no longer have the decryption key, so if you encrypt a filename, you don't get to refer to the file anymore, of course unless (as another user commented) you encrypt the filename you're using to reference the file every time you reference the file, which isn't a terrible idea.
No - the primary benefit this filesystem claims is that you can have a system with write access without knowing the private key to read data back, so even if the system is somehow compromised, the attacker doesn't get to read the sensitive data written.
Nice. I'd previously written a similar FUSE-based one-way filesystem, but I never did publish it. "Go laziness!"
The two applications that caught my eye were "home security cameras" (which the docs allude to) and secure telemetry.
You have a device (say, a drone) that logs telemetry data, but if the drone is lost, the data cannot be recovered by a third party without the private key.
The inability to edit or append to files is not really a fundamental limitation of this approach - it would just require some more bookkeeping. Reading back data, of course, is (by design) impossible.
Heads up to anyone considering using this: the author wrote their own crypto code[1]. I would recommend against using this until that is fixed... I've already spotted a few vulnerabilities.
I don't necessarily disagree, but at some point the buck has to stop, right? How would you implement this any other way? The author didn't implement AES or so on himself, he uses standard library encryption and applies it as appropriate. You should probably report the issues you find to federico.ceratto-at-gmail.com (from Github).
The author should use a library that provides a simple "encryptWithPublicKey" method, so that any choices about RSA key size, AES mode of operation, etc are all taken care of. NaCl[1] would probably be best, since it's written and audited by prominent cryptographers.
There are a tremendous number of other ways this could be implemented.
Authenticated encryption? GCM? XTS?
Salt the CFB? Guard against interblock attacks?
The crypto needs to be completely reworked. This is an asymmetric kek around symmetric encryption, which is done in many other projects.
Half-backed crypto such as this is worse than no crypto at all, as it lulls people into believing they are using a valid cryptographic system. But, the project implements (poorly) a subset of what is needed and pushes the rest into application code - but app writers don't know this and wouldn't know what to implement even if they know of the shortcomings.
Cryptographers see this all the time. People think they invented a new concept but only implemented a well-known design but did it incompletely and with well-known flaws in the crypto. Then, people defend the system, when it would be far easier to use better primitives.
It looks like the file is replaced every write, too, which removes most of the hard use cases. It really seems to me that he could just use PyNaCl to encrypt the files and not have to bother with all the custom crypto. I don't know what the intentions and tradeoffs are, though, so I can't be sure.
You could make similar threat-model arguments as are made about FDE, but that's not really a good excuse when authentication would be technically easy in this case.
It says something if you're using a package called PyCrypto for RNG and that happens to be an insecure approach. You would think with that name it was the right way to do it.
That doesn't immediately mean that the library is useless.
> until that is fixed
I disagree with the word "fixed", as if it's broken. He probably used the highest-level primitives he could to achieve the requirements.
> I've already spotted a few vulnerabilities.
It'd probably be more constructive to open an issue detailing the vulnerabilities rather than saying "I've spotted some, use NaCl" and leaving it at that. What makes you so sure that NaCl is even a suitable replacement without knowing all the considerations that went into the project?
"Every time a new file is being written, owefs_encrypt creates a one-time random key. The random key is encrypted using the public key and is embedded in the new file. The contents of the file are encrypted using such random key."
> Some files may need to be written while the device is locked. A good example of this is a mail attachment downloading in the background. This behavior is achieved by using asymmetric elliptic curve cryptography (ECDH over Curve25519). The usual per-file key is protected by a key derived using One-Pass Diffie-Hellman Key Agreement as described in NIST SP 800-56A.
> The ephemeral public key for the agreement is stored alongside the wrapped per-file key. The KDF is Concatenation Key Derivation Function (Approved Alternative 1) as described in 5.8.1 of NIST SP 800-56A. AlgorithmID is omitted. PartyUInfo and PartyVInfo are the ephemeral and static public keys, respectively. SHA-256 is used as the hashing function. As soon as the file is closed, the per-file key is wiped from memory. To open the file again, the shared secret is re-created using the Protected Unless Open class’s private key and the file’s ephemeral public key; its hash is used to unwrap the per-file key, which is then used to decrypt the file.
38 comments
[ 3.2 ms ] story [ 89.1 ms ] thread(So you have public key 0xDEAFBEEF; you want to write a file named 'secret.txt' with the contents 'We attack at dawn'. OweFS encrypts 'We attack at dawn' to 010101 and writes that to 'secret.txt'. But why couldn't it have encrypted the contents to 010101 and encrypted the filename 'secret.txt' to 111000, and then written a file named 111000.encrypted with the contents 010101? Then when the owner of 0xDEAFBEEF wanted to read it, he simply decrypts 111000.encrypted to 'secret.txt' and decrypts its content 010101 to 'We attack at dawn.')
Firstly, let's assume that directories aren't encrypted. Otherwise this would be a real PITA - just to locate /foo/bar/baz.txt you'd have to decrypt each component of 001001/011101/110101.encrypted separately.
More importantly, the decrypting software has no way to encrypt things, only decrypt them. So to read 'secret.txt' you can't just encrypt 'secret.txt' to '111000.encrypted'. Instead, you have to iterate through the entire directory listing and decrypt every single filename, until you find one that decrypts to 'secret.txt'.
Obviously this gets pretty bad with even moderately-sized directories. I assume this is why the project doesn't encrypt filenames.
http://blog.quarkslab.com/a-glimpse-of-ext4-filesystem-level...
https://docs.google.com/document/d/1ft26lUQyuSpiu6VleP70_npa...
http://www.techrepublic.com/blog/linux-and-open-source/creat...
The two applications that caught my eye were "home security cameras" (which the docs allude to) and secure telemetry.
You have a device (say, a drone) that logs telemetry data, but if the drone is lost, the data cannot be recovered by a third party without the private key.
[1] https://github.com/FedericoCeratto/owefs/blob/master/pycrypt...
[1] http://nacl.cr.yp.to/
Authenticated encryption? GCM? XTS? Salt the CFB? Guard against interblock attacks?
The crypto needs to be completely reworked. This is an asymmetric kek around symmetric encryption, which is done in many other projects.
Half-backed crypto such as this is worse than no crypto at all, as it lulls people into believing they are using a valid cryptographic system. But, the project implements (poorly) a subset of what is needed and pushes the rest into application code - but app writers don't know this and wouldn't know what to implement even if they know of the shortcomings.
Cryptographers see this all the time. People think they invented a new concept but only implemented a well-known design but did it incompletely and with well-known flaws in the crypto. Then, people defend the system, when it would be far easier to use better primitives.
You could make similar threat-model arguments as are made about FDE, but that's not really a good excuse when authentication would be technically easy in this case.
I doubt eight bytes is enough for cryptography...
If you need random bytes in Python, use os.urandom:
https://docs.python.org/2/library/os.html#os.urandomPretty sad if it is not the case! Interestingly enough, RNG in pycryptodome which I was using for zerodb is urandom. https://github.com/Legrandin/pycryptodome/blob/master/lib/Cr...
Would be interesting to see similar gotchas about that library (though everybody uses PyCrypto, that makes me feel a little paranoid!)
That doesn't immediately mean that the library is useless.
> until that is fixed
I disagree with the word "fixed", as if it's broken. He probably used the highest-level primitives he could to achieve the requirements.
> I've already spotted a few vulnerabilities.
It'd probably be more constructive to open an issue detailing the vulnerabilities rather than saying "I've spotted some, use NaCl" and leaving it at that. What makes you so sure that NaCl is even a suitable replacement without knowing all the considerations that went into the project?
I have no intention to mislead any user into running it so I'll remove the repository for the time being.
why not use the asymmetric keypair to guard an AES key, and use AES to do the encryption instead, something like what https is doing.
"Every time a new file is being written, owefs_encrypt creates a one-time random key. The random key is encrypted using the public key and is embedded in the new file. The contents of the file are encrypted using such random key."
> Some files may need to be written while the device is locked. A good example of this is a mail attachment downloading in the background. This behavior is achieved by using asymmetric elliptic curve cryptography (ECDH over Curve25519). The usual per-file key is protected by a key derived using One-Pass Diffie-Hellman Key Agreement as described in NIST SP 800-56A.
> The ephemeral public key for the agreement is stored alongside the wrapped per-file key. The KDF is Concatenation Key Derivation Function (Approved Alternative 1) as described in 5.8.1 of NIST SP 800-56A. AlgorithmID is omitted. PartyUInfo and PartyVInfo are the ephemeral and static public keys, respectively. SHA-256 is used as the hashing function. As soon as the file is closed, the per-file key is wiped from memory. To open the file again, the shared secret is re-created using the Protected Unless Open class’s private key and the file’s ephemeral public key; its hash is used to unwrap the per-file key, which is then used to decrypt the file.