New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get the protocol professionally audited #1
Comments
Hey, Thanks for asking. The answer to that is yes and no. I updated the title to be more descriptive. I hope everything is clear. More info is available on the FAQ. |
would you be open to changing the crypto to something like ChaCha20/XSalsa20+Poly1305? meaning, accepting a PR that does it while being retro-compatible with previous crypto usage |
@suqdiq, hey. As a rule, I'm open to all changes for which a compelling case can be made. Though I'm honestly asking, is there such a compelling case? I chose AES-CBC + HMAC-256 because of their ubiquity and battle-tested implementations. This means that I can find a good implementation (or bindings) for those for every platform and every language. This is essentially why I avoided ChaCha20. Though I'm willing to admit I maybe erred on the side of caution here, because ChaCha20 may have reached the same level of ubiquity by now. If you think there is a compelling case to switching, please open a new ticket (let's not go off-topic on this one) and include the pros/cons of switching to ChaCha20/XSalsa20+Poly1305 and how would our users benefit from such a change. "Speed" is probably not a good enough reason, unless a case could be made that it would actually affect our users. Please also include a link to this comment so people have some context. P.S, the EteSync protocol is versioned, so such a change should be fairly simple. It's having to implement it on every platform (at the moment there are only two, Python and Java), and having more "special cases" (more versions) that are annoying. Thanks. |
I would like to suggest using libnacl or libsodium "secret box" functions instead of directly using the low-level primitives. High level libraries such as these seem to be security best practise these days as they insulate the developer from "sharp edges" like having to think about what AES mode and padding to use and so on, and keeping up to date with best practises. I think using the crypto primitives directly as etesync is currently would be considered "doing your own crypto" (which you rightly say you want to avoid). I may have missed some of etesync's requirements in my reading of the code and FAQ item about the design, but I think a secret box function would cover the current requirements. e.g., using As for which libraries/bindings to choose, I can't recommend any from personal experience, but this page has a list. Maybe this one - libsodium-jni - for Android. There is an official javascript build (just the C compiled to JS using emscripten) https://github.com/jedisct1/libsodium.js/ which could be used in the web client. There are several Python options there for the Python API. I've also seen libhydrogen, also from Frank Denis (author of libsodium), implements a secret box using curve25519 and GIMLI (don't know anything about the latter). Seems to be a lightweight version of libsodium aimed at embedded systems. I don't know if there are any reasons to use this over libsodium unless you want things to be especially lightweight. Some further research on these options and which bindings/port to use would be necessary, but once this is decided, the developer experience is very easy and would cut out pretty much all of the current crypto code and just replace with a few function calls. My understanding of these libraries is they try to be very stable and oriented towards developers who have enough other things to worry about ("easy to use and hard to misuse") and could be a perfect fit for this project. I like the way this project keeps things simple with clever design and good reuse of other popular libraries, now that these crypto libraries are available, this seems like the logical thing to use. I should add, these libraries have been professionally audited -- so getting etesync itself audited can become a much lower priority, maybe even unnecessary. |
Thanks for your detailed suggestion, while I agree with the above, it's not as easy as it sounds. The main concerns with doing that are:
I'll properly evaluate it when I'm ready to change the encryption scheme, though point 1.2. seems to be a problem, which may have implications to point 1 as a whole. Thanks a lot for the suggestion. |
Just wanted to let you know that I gave it some more thought and have done some more research on the availability across platforms. Even though Android doesn't seem to have very good nacl support, it looks like we should make the switch. The benefits are just too significant to ignore, so thanks a lot of the suggestion! It'll be done as part of the other planned overall improvements to the encryption scheme and protocol, which will hopefully happen in the next few months. |
Is there a document detailing the architecture somewhere? Even if it's just the API. I would also recommend removing "zero knowledge" from descriptive material, as it might be misconstrued with zero knowledge proofs. |
@YellowOnion, thanks for your comments. As for zero-knowledge: I hate this term too, though the reason why it's there is because everyone else in the privacy space use it and users were confused about us not having it! I think that people who know what ZKPs are, wouldn't get confused too often, and those who don't wouldn't get confused anyway. For whatever it's worth btw, EteSync 2.0 does use ZKP. :) |
I forgot to highlight it in my previous comment, but EteSync 2.0 also uses libsodium, so this issue will be mostly addressed. |
Has your encryption code been audited?
The text was updated successfully, but these errors were encountered: