Re: [dev] securiy guidance from Markus Teich on 2018-03-10 (dev mail list archive)

From: Markus Teich <markus.teich_AT_stusta.mhn.de>
Date: Sat, 10 Mar 2018 13:59:10 +1100

Am 2018-03-08 18:47, schrieb petern_AT_riseup.net:
> Looking at the chacha API one needs to use a nonce, in the monocypher
> implementation it is 24 bits wide, which would give the option of
> almost
> 17M runs with a single key. IIUC adding a salt would further randomize
> the output and possibly prevent some other forms of attacks but won't
> replace the nonce as the salt cannot be secret either.

I don't know the chacha API. Please check the wikipedia pages for salt
vs. nonce.
TLDR: They are similar, but for passwords the term salt is used while
nonce is used
in network protocol context. An important difference is that the salt is
always
okay to publish/store, while some nonces have to be kept secret. However
the "only
use once" concept also applies to salts, so make sure you generate a new
salt each
time you recompute the hash of a key/password.

> What is a profiling attack? A quick search didn't bring up anything
> relevant. I see many people are disturbed by the idea that the keys of
> the password key-value store are visible on the filesystem. I will have
> to think about that.

I don't know if there is a specific term for this. You want your system
to be good
enough that you can publish the encrypted password database
(Kerckhoffs's 2nd
principle). For my project I envisioned using git for db
synchronization. So if
the keys ("google.com", "facebook.com", "nastypr0nsite.sexy", …) are not
encrypted
equally well, everyone can see where you have accounts. That's what
people are
concerned about.

> In the meantime I am realizing that security is really, really hard.
> All
> the sorts of attacks there are, memory swapping, wiping disk and memory
> properly after finished... And I haven't even gotten to the agent part,
> which needs to store the password in memory. Thinking about that part
> I'm not even sure how can that be done safely. Well, at least I
> understand better why are people relying on GPG to do that part. Lesson
> learned :)

Well it is hard indeed, but it's also interesting to learn all that
stuff.
If you don't push your first attempts at cryptography to thousands of
users,
it is usually fine. After all, the best way to learn is to make
mistakes. You
just have to accept that you will definitely be making mistakes and
willing to
fix them. :)
Received on Sat Mar 10 2018 - 03:59:10 CET

This archive was generated by hypermail 2.3.0 : Sat Mar 10 2018 - 04:12:19 CET