From 469fc609f22c88928241474ab456eb81cb163edc Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 23 Oct 2016 17:32:56 -0400 Subject: update --- TODO | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/TODO b/TODO index 97da3e0..2c5c26f 100644 --- a/TODO +++ b/TODO @@ -24,7 +24,9 @@ Later: harder for traffic analysis to tell that given TOR traffic is keysafe traffic. * Argon2d is more resistent to GPU/ASIC attack optimisation. - Switching from Argon2i would require new tunables, so deferred for now + Switching from Argon2i would require new tunables, and delay restores + (of keys backed up using the old tunables, and when the user provides the + wrong name) by ~10 minutes, so deferred for now until there's some other reason to change the tunables. Wishlist: @@ -51,4 +53,14 @@ Wishlist: with 2 shares, then 3, etc, and once it found shares, it would know the number needed. It should also be possible to avoid breaking backwards compatability, by only including the number of shares in the name when - it's not the standard number. + it's not the standard number. To avoid needing to re-run argon2 for each + try, the argon2 hash of the name could be calculated first, and then the + number of needed shares appended before the final sha256 hash is + generated. + + If an attacker is able to guess the name, and a nonstandard number of + shares was used, the attacker could upload other objects where they would + be found before the real objects. This could be used to prevent + restore from working. (It also makes a malicious data attack (as described + in https://joeyh.name/keysafe/details/) possible by attackers who do not + control the servers. -- cgit v1.2.3