[9fans] secstore security

[9fans] secstore security

[Steve Simon]

I want to backup my secstore on other machines, and
he 9grid nodes seem the obvious place. I trust
the 9grid adminstrators as far as I can (I have never met them),
but in the general case, how secure is the secstore from
a dictionary attack by bootes?

I have read the text on secstore in /sys/doc/auth.ps but I
don't feel qualified to make a decision.

Any security experts out there?

-Steve

Re: [9fans] secstore security

[Devon H. O'Dell]

[-- Attachment #1: Type: text/plain, Size: 1518 bytes --]

On Mon, Apr 11, 2005 at 10:38:40AM +0100, Steve Simon wrote:
> I want to backup my secstore on other machines, and
> he 9grid nodes seem the obvious place. I trust
> the 9grid adminstrators as far as I can (I have never met them),
> but in the general case, how secure is the secstore from
> a dictionary attack by bootes?
> 
> I have read the text on secstore in /sys/doc/auth.ps but I
> don't feel qualified to make a decision.
> 
> Any security experts out there?
> 
> -Steve

First: I don't claim to be a security expert :)

The algorithms used are similar enough to those used in other
systems (that have been used for a good while and are currently
considered secure) for me to feel comfortable with it. Keys are
stored with Rijndael+CBC, so birthday attacks aren't going to be
likely either.

I think that you'd need to be more worried about transmitting
keys over plain text protocols. You will never be protected
against dictionary attacks by one who has access to the keys in
their encrypted form, but the PAK protocol used in secstore
``prevents dictionary attacks on the password by passive
wiretappers or active intermediaries'' (i.e. active or passive
third parties).

If you choose strong passwords (passphrases are good these
days), dictionary attacks should be infeasible. So unless
someone finds a way to access the memory with the decrypted
passphrases (or your password is `moo'), you should feel safe
with the methodology used by factotum / secstore.

--Devon

[-- Attachment #2: Type: application/pgp-signature, Size: 194 bytes --]

Re: [9fans] secstore security

[Charles Forsyth]

i think the question was really about security of
the server not the protocol or client use.
can anyone with access to the secstore
files on the secstore machine, specifically its administrator,
do a dictionary attack on those files?

yes.

if i log in to my secstore as the owner of the secstore files,
i can see the file factotum, and run auth/aescbc -d to decrypt it.
of course, i know my own password in this case, but that answers
the question about the file.

it just emphasises the general importance of choosing (or generating)
good  encryptiono keys.   of course, since the server just stores files as  provided
by the client, there is nothing to stop the client making the scheme
more elaborate than currently is done for the file `factotum',
and the client could easily use a fancy scheme to generate and recover
a `password', since it never leaves the client.
in short, the security is ultimately limited by client choice,
and that choice is not itself limited by the server or protocol.

Re: [9fans] secstore security

[Charles Forsyth]

>>of course, since the server just stores files as  provided
>>by the client, there is nothing to stop the client making the scheme
>>more elaborate than currently is done for the file `factotum',

and if you're mainly interested in backup, you could (further) encrypt your secstore's files
with a non-trivial key before sending them to 9grid's secstore,
then decrypt them with that key if you ever had to restore them.
of course, in that case using 9grid's secstore on-line directly would require the client
to know to use the extra key.

another variant would be to split the material in some way across
several secstores operated by different people