diff options
author | Joey Hess <joeyh@joeyh.name> | 2017-04-04 12:30:13 -0400 |
---|---|---|
committer | Joey Hess <joeyh@joeyh.name> | 2017-04-04 12:30:13 -0400 |
commit | 0d52ac5404f4203f5ea8dc13b5dcc30d67eaf444 (patch) | |
tree | 71b5005ba88390f733325bc17c77574ff9e009ae /TODO | |
parent | 97739621230f267ac783bd3d9902eff8cee2ad27 (diff) | |
download | keysafe-0d52ac5404f4203f5ea8dc13b5dcc30d67eaf444.tar.gz |
move item from TODO to doc/todo and reply
Diffstat (limited to 'TODO')
-rw-r--r-- | TODO | 29 |
1 files changed, 0 insertions, 29 deletions
@@ -52,35 +52,6 @@ Wishlist: (Raaz makes this possible to do.) Would be nice, but not super-important, since gpg secret keys are passphrase protected anyway.. -* Don't require --totalshares and --neededshares on restore when unusual - values were used for backup. - - The difficulty is that the number of needed shares cannot be determined by - looking at shares, and guessing it wrong will result in combining - too few shares yielding garbage, which it will take up to an hour to - try to decrypt, before it can tell that more shares are needed. - - This could be dealt with by including the number of needed shares in the - serialization of Share, but then an attacker could use it to partition - shares from servers. If only one person uses --neededshares=5, - the attacker can guess that all their shares go together. - - What about including the number of needed shares in the name? Since that's - hashed, it's not visible to an attacker. Keysafe would need to try names - with 2 shares, then 3, etc, and once it found shares, it would know the - number needed. It should also be possible to avoid breaking backwards - compatability, by only including the number of shares in the name when - it's not the standard number. To avoid needing to re-run argon2 for each - try, the argon2 hash of the name could be calculated first, and then the - number of needed shares appended before the final sha256 hash is - generated. - - If an attacker is able to guess the name, and a nonstandard number of - shares was used, the attacker could upload other objects where they would - be found before the real objects. This could be used to prevent - restore from working. (It also makes a malicious data attack (as described - in https://keysafe.branchable.com/details/) possible by attackers who do not - control the servers. Encryption tunables changes: |