acmeattic-devel team mailing list archive

Thread
Date

Re: Encryption blueprint

To: Aditya Manthramurthy <aditya.mmy@xxxxxxxxx>
From: Karthik Swaminathan Nagaraj <nkarthiks@xxxxxxxxx>
Date: Sun, 11 Jul 2010 11:13:35 -0400
Cc: acmeattic-devel@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4C396FFB.8060907@gmail.com>

On Sun, Jul 11, 2010 at 3:17 AM, Aditya Manthramurthy
<aditya.mmy@xxxxxxxxx>wrote:

> On Sunday 11 July 2010 08:42 AM, Karthik Swaminathan Nagaraj wrote:
>
>> I created our first blueprint! :)
>> Take a look at it and the specification details on the Wiki.
>>
>>
> Thanks for writing it. We can restrict the encryption features for the
> first alpha release to include only server authentication (TLS), client
> authentication, and data encryption. Data encryption will involve secure
> per-file AES key creation and encryption.
>
> The AES key creation for a user from the password is a feature intended for
> the client challenge authentication (like in spideroak). I think we can keep
> this for a future alpha release. I have made changes to this effect on the
> blueprint.
>

I think there is a miscommunication in terms of what the AES key is
functioning in this context.
As per our earlier discussions, each user has a Master-key file, which is
encrypted and stored on the server. The symmetric key used to encrypt the
Master key file is what I refer as the "user's AES key". It should be
possible to generate this key independently from any machine, irrespective
of machine crashes.
My proposal to *find* this key is to use a consistent hashing mechanism such
as SHA256. On the client, as soon as the user enters the passord, the
plaintext password is hashed to produce his AES key of 256bits in size.

This is how Spider Oak and many other authentication schemes handle
passwords and keys. The confusion is - this is absolutely necessary for the
client application in the first release, and is pretty straightforward and
simple. If you read the SpiderOak documentation, their method to retrieve
the *assymmetric key pair* is to authenticate a machine another time. This
functionality can be added at a future release.

>
>
> --
> Aditya.
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~acmeattic-devel<https://launchpad.net/%7Eacmeattic-devel>
> Post to     : acmeattic-devel@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~acmeattic-devel<https://launchpad.net/%7Eacmeattic-devel>
> More help   : https://help.launchpad.net/ListHelp
>

-- 
Karthik

Follow ups

Re: Encryption blueprint
From: krishnan parthasarathi, 2010-07-12

References

Encryption blueprint
From: Karthik Swaminathan Nagaraj, 2010-07-11
Re: Encryption blueprint
From: Aditya Manthramurthy, 2010-07-11