Skip to content

Add integrity protection using Encrypt-Then-MAC to default encryption module#21557

Merged
LukasReschke merged 20 commits intomasterfrom
use-hmac-over-encryption
Feb 9, 2016
Merged

Add integrity protection using Encrypt-Then-MAC to default encryption module#21557
LukasReschke merged 20 commits intomasterfrom
use-hmac-over-encryption

Conversation

@LukasReschke
Copy link
Copy Markdown
Member

@LukasReschke LukasReschke commented Jan 8, 2016

This adds an integrity protection using Encrypt-Then-MAC to the default encryption module. Authenticated encryption prevents that a storage administrator can tamper with the files such as performing bitflipping attacks on them.

To achieve this the following changes have been done by @schiesbn and me:

  1. Switched to AES-CTR-256 as default cipher for new or modified files
  2. All new files have the HMAC data in the metadata as well.
  3. When decrypting files the signature gets verified. All files encrypted using CTR need this field to be there mandatory, the old CFB mode can have this field but it is not enforced.

This approach gives us the possibility to have complete backwards compatibility with the existing encrypted files (as in: you should be able to read all files as before as well) as well as an easy way to differentiate whether a file needs to have a mandatory HMAC.

To test this also try to modify the encrypted ciphertext in the encrypted document on new or modified files and see whether you can still open the document. With this change applied you should not, it will simply fail to decrypt the file.

There will be no automatic migration as we all know the pain of such. Thus this will only affect new or modified files.

Partially addresses https://github.com/owncloud/security-tracker/issues/191. Some documentation changes are still pending.

@LukasReschke LukasReschke added this to the 9.0-current milestone Jan 8, 2016
@mention-bot
Copy link
Copy Markdown

mention-bot commented Jan 8, 2016

By analyzing the blame information on this pull request, we identified @schiesbn, @nickvergessen and @DeepDiver1975 to be potential reviewers

@LukasReschke
Copy link
Copy Markdown
Member Author

LukasReschke commented Jan 8, 2016

@owncloud/qa Please do some testing with encryption enabled. Thanks.
@schiesbn Our branch 🎉

@karlitschek
Copy link
Copy Markdown
Contributor

karlitschek commented Jan 8, 2016

👍

@rullzer
Copy link
Copy Markdown
Contributor

rullzer commented Jan 8, 2016

So crypto stays a complex thing. And the more you learn about it the further you know to stay away from it ;).

Having said that I can follow the commits here. And the changes make sense to me.

@LukasReschke
Copy link
Copy Markdown
Member Author

LukasReschke commented Jan 9, 2016

Needs some more love to prevent shuffling the entries. Setting back to 2.

@LukasReschke LukasReschke force-pushed the use-hmac-over-encryption branch 3 times, most recently from 86b5842 to 01a9bab Compare February 3, 2016 14:04
@LukasReschke LukasReschke force-pushed the use-hmac-over-encryption branch 2 times, most recently from f37fd5e to c3f18f8 Compare February 4, 2016 00:27
@PVince81
Copy link
Copy Markdown
Contributor

PVince81 commented Feb 5, 2016

@PVince81
Copy link
Copy Markdown
Contributor

PVince81 commented Feb 5, 2016

  • TEST: regular encryption/decryption/overwrite
  • TEST: upgrade with old encrypted files, files can still be read
  • TEST: overwriting old encrypted files switches the encryption to the new mode

@PVince81
Copy link
Copy Markdown
Contributor

PVince81 commented Feb 5, 2016

Code looks good.

@LukasReschke LukasReschke force-pushed the use-hmac-over-encryption branch from c3f18f8 to 0a177de Compare February 8, 2016 19:36
@LukasReschke LukasReschke force-pushed the use-hmac-over-encryption branch from 0a177de to f060288 Compare February 8, 2016 19:43
@LukasReschke LukasReschke force-pushed the use-hmac-over-encryption branch from f060288 to d00628f Compare February 8, 2016 20:37
LukasReschke and others added 20 commits February 9, 2016 23:43
@LukasReschke
Use AES-256-CTR as default
d25b8da 
CTR is recommended over CFB mode.
@LukasReschke
Use an actual 16 byte long IV
59ebad0 
The previous IV was actually 12 byte extended to 16 byte using base64. As the encrypted file should be fine with containing binary data as well we can simply remove the encoding like that here.
@LukasReschke
Add note about the addPadding function
db8f267
@schiessle @LukasReschke
sign all encrypted blocks and check signature on decrypt
40a5ba7
@schiessle @LukasReschke
make it backward compatible to work with signed and un-signed files
cf3a8f2
@schiessle @LukasReschke
always use default cipher for write operations, no matter how the fil…
e7ff84d 
…e was encrypted before
@schiessle @LukasReschke
meta data are at the end of the file
61dd191
@LukasReschke
Use random_bytes instead OpenSSL
b9ff164
@schiessle @LukasReschke
fixing unit tests
9bb97c7
@LukasReschke
Use hash with appended "a" of the original password for the authentic…
3b62459 
…ation
@LukasReschke
Clarify documentation
d5c1596
@LukasReschke
Keep track of file version
b5824f0 
This way it is not possible anymore for an external storage admin to put up old versions of the file.
@LukasReschke
Use number of chunk for HMAC as well
3badf5c 
Prevents switching single blocks within the encrypted file.
@LukasReschke
Use database for keeping track of the version
5ccb9df
@LukasReschke
realPath should contain the path to the file we want to read, e.g. th…
966eb4b 
…e version and not the original file
@LukasReschke
Check if partial cache entry or not in encryption wrapper
3736f13
@LukasReschke
don't decrease ->version for part files but only a local variable, ot…
377d7fb 
…herwise it can happen that we decrease it twice and end up with the wrong value
@LukasReschke
Use cache and add tests
6724f76
@LukasReschke
Use cache update instead of put for encryption version
45c7847 
Saves a call to fetch the file id which didn't even work for a reason.

This fix properly sets the version in the database.
@LukasReschke
Add tests for setVersion
ca35029
@LukasReschke LukasReschke force-pushed the use-hmac-over-encryption branch from da41a85 to ca35029 Compare February 9, 2016 22:43
LukasReschke added a commit that referenced this pull request Feb 9, 2016
@LukasReschke
Merge pull request #21557 from owncloud/use-hmac-over-encryption
53d57bf 
Add integrity protection using Encrypt-Then-MAC to default encryption module
@LukasReschke LukasReschke merged commit 53d57bf into master Feb 9, 2016
@LukasReschke LukasReschke deleted the use-hmac-over-encryption branch February 9, 2016 22:45
@schiessle schiessle mentioned this pull request Feb 10, 2016
Closed
@LukasReschke LukasReschke mentioned this pull request Feb 10, 2016
Closed
@schiessle schiessle mentioned this pull request Feb 22, 2016
Merged
@lock
Copy link
Copy Markdown

lock Bot commented Aug 7, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock Bot locked as resolved and limited conversation to collaborators Aug 7, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

4 - To release enhancement security

Projects

None yet

Milestone

9.0

Development

Successfully merging this pull request may close these issues.

8 participants

@LukasReschke @mention-bot @karlitschek @rullzer @PVince81 @nickvergessen @schiessle @DeepDiver1975