hardcoresushi
/
libgocryptfs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Split off SECURITY.md

This commit is contained in:
Jakob Unterwurzacher 2015-10-06 23:20:21 +02:00
parent 8ec16c165d
commit 31e14936be
2 changed files with 99 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
README.md
View File

@ -8,6 +8,9 @@ LoopbackFileSystem API.
This project was inspired by [EncFS](https://github.com/vgough/encfs) This project was inspired by [EncFS](https://github.com/vgough/encfs)
and strives to fix its security issues (see EncFS tickets 9, 13, 14, 16). and strives to fix its security issues (see EncFS tickets 9, 13, 14, 16).
For details on the security of GoCryptFS see the
[SECURITY.md](https://github.com/rfjakob/gocryptfs/blob/master/SECURITY.md)
document.
Current Status Current Status
-------------- --------------
@ -20,99 +23,6 @@ Install
go get github.com/rfjakob/gocryptfs go get github.com/rfjakob/gocryptfs
Security
--------
"Security" can be split into "Confidentiality" and "Integrity". The
security level gocryptfs provides for each is discussed in the next
sections.
Confidentiality
---------------
Confidentiality means that information cannot be extracted from the
encrypted data unless you know the key.
### File Contents
* All file contents (even the last bytes) are encrypted using AES-256-GCM
* This is unbreakable in the foreseeable future. Attacks will focus on
cracking the password instead (see section "Master Key Storage").
* Files are segmented into 4096 byte blocks
* Each block gets a fresh random 96 bit IV (none) each time it is written.
* This means that identical blocks can not be identified
### File Names
* File names are encrypted using AES-256-CBC because it is robust even
without using an IV
* The file names are padded to multiples of 16 bytes
* This means that the exact length of the name is hidden, only length
ranges (1-16 bytes, 17-32 bytes etc.) can be determined from the encrypted
files
* For technical reasons, no IV is used
* This means that files with the same name within one gocryptfs filesystem
always get the same encrypted name
### Metadata
* The size of the file is not hidden. The exact file size can be calculated
from the size of the encrypted file.
* File owner, file permissions and timestamps are not hidden either
Integrity
---------
Integrity means that the data cannot be modified in a meaningful way
unless you have the key. The opposite of integrity is *malleability*.
### File Contents
* The used encryption, AES-256-GCM, is a variant of
*authenticated encryption*. Each block gets a 128 bit authentication
tag (GMAC) appended.
* This means that any modification inside block will be detected when reading
the block and decryption will be aborted. The failure is logged and an
I/O error is returned to the user.
* Each block uses its block number as GCM *authentication data*
* This means the position of the blocks is protected as well. The blocks
can not be reordered without causing an decryption error.
* However, proper affiliation of a block to the file is not checked.
* This means that blocks can be copied between different files provided
that they stay at the same position.
* For technical reasons (sparse files), the special "all-zero" block is
seen as a valid block that decrypts to an all-zero block.
### File Names
* File names are only weakly protected against modifications.
* Changing a single byte causes a decode error in at least 255 of 256
cases. The failure is logged and the file is no longer visible in the
directory.
* If no decode error is triggered, at least 16 bytes of the filename will
be corrupted (randomized).
* However, file names can always be truncated to multiples of 16 bytes.
### Metadata
* The file size is not protected against modifications
* However, the block integrity protection limits modifications to block
size granularity.
* This means that files can be truncated to multiples of 4096 bytes.
* Ownership, timestamp and permissions are not protected and can be changed
Master Key Storage
------------------
The *master key* is used to perform file decryption and encryption.
It is stored in `gocryptfs.conf` encrypted with AES-256-GCM using the
*unlock key*.
The unlock key is generated from a user password using `scrypt`.
A sucessful decryption of the master key means that the authentication
passed and the password is correct. The master key is then used to
mount the filesystem.
Performance Performance
----------- -----------
@ -121,7 +31,8 @@ Performance
for a 3x speedup compared to `crypto/cipher` (see [go-vs-openssl.md](https://github.com/rfjakob/gocryptfs/blob/master/openssl_benchmark/go-vs-openssl.md)) for details for a 3x speedup compared to `crypto/cipher` (see [go-vs-openssl.md](https://github.com/rfjakob/gocryptfs/blob/master/openssl_benchmark/go-vs-openssl.md)) for details
Run `./benchmark.bash` to run the test suite and the streaming read/write Run `./benchmark.bash` to run the test suite and the streaming read/write
benchmark. benchmark. The benchmark is run twice, first with native Go crypto and
second using openssl.
The output should look like this: The output should look like this:

94
SECURITY.md Normal file
View File

@ -0,0 +1,94 @@
GoCryptFS Security
==================
"Security" can be split into "Confidentiality" and "Integrity". The
security level gocryptfs provides for each is discussed in the next
sections.
Confidentiality
---------------
Confidentiality means that information cannot be extracted from the
encrypted data unless you know the key.
### File Contents
* All file contents (even the last bytes) are encrypted using AES-256-GCM
* This is unbreakable in the foreseeable future. Attacks will focus on
cracking the password instead (see section "Master Key Storage").
* Files are segmented into 4096 byte blocks
* Each block gets a fresh random 96 bit IV (none) each time it is written.
* This means that identical blocks can not be identified
### File Names
* File names are encrypted using AES-256-CBC because it is robust even
without using an IV
* The file names are padded to multiples of 16 bytes
* This means that the exact length of the name is hidden, only length
ranges (1-16 bytes, 17-32 bytes etc.) can be determined from the encrypted
files
* For technical reasons, no IV is used
* This means that files with the same name within one gocryptfs filesystem
always get the same encrypted name
### Metadata
* The size of the file is not hidden. The exact file size can be calculated
from the size of the encrypted file.
* File owner, file permissions and timestamps are not hidden either
Integrity
---------
Integrity means that the data cannot be modified in a meaningful way
unless you have the key. The opposite of integrity is *malleability*.
### File Contents
* The used encryption, AES-256-GCM, is a variant of
*authenticated encryption*. Each block gets a 128 bit authentication
tag (GMAC) appended.
* This means that any modification inside a block will be detected when reading
the block and decryption will be aborted. The failure is logged and an
I/O error is returned to the user.
* Each block uses its block number as GCM *authentication data*
* This means the position of the blocks is protected as well. The blocks
can not be reordered without causing an decryption error.
* However, proper affiliation of a block to the file is can not be verified.
* This means that blocks can be copied between different files provided
that they stay at the same position.
* For technical reasons (sparse files), the special "all-zero" block is
always seen as a valid block that decrypts to all-zero plaintext.
* This means that whole blocks can be zeroed out
### File Names
* File names are only weakly protected against modifications.
* Changing a single byte causes a decode error in most of the
cases. The failure is logged and the file is no longer visible in the
directory.
* If no decode error is triggered, at least 16 bytes of the filename will
be corrupted (randomized).
* However, file names can always be truncated to multiples of 16 bytes.
### Metadata
* The file size is not protected against modifications
* However, the block integrity protection limits modifications to block
size granularity.
* This means that files can be truncated to multiples of 4096 bytes.
* Ownership, timestamp and permissions are not protected and can be changed
as usual.
Master Key Storage
------------------
The *master key* is used to perform content and file name encryption.
It is stored in `gocryptfs.conf`, encrypted with AES-256-GCM using the
*unlock key*.
The unlock key is generated from a user password using `scrypt`.
A successful decryption of the master key means that the GMAC authentication
passed and the password is correct. The master key is then used to
mount the filesystem.