Threat model and mitigations for XChaCha20 counter-based encryption #158
Comments
Also use monotonic for session ids Increase counter advance to 2X cadence Issue #158
|
Update: Changed recommendation no. 1 to offer an affirmative and relatively simple solution when using the counter mode. Future... Possibly detect any mundane crash condition during archive writes. This could prevent any further writing (hence preventing nonce reuse) until the user has signaled the system time is correct and the metadata can be advanced. This reduces the gap scenarios to ones where the admin system has had a major upheaval, such as a wipe or (re)install; in those cases the system time would still have to be checked, but Wyng might not be able to tell if it should treat the archive as read-only. Alternately, the counter mode could treat the archive as read-only in any/all cases where it does not already have an established cache of metadata for that archive; a special option would instruct the user to check system time before advancing the metadata and re-establishing the cache. |
The current implementation of encryption includes a combination of XChaCha20 and XChaCha20-Poly1305 ciphers with a counter-based nonce and without any re-keying. This presents a challenge to prevent nonce reuse, so the following steps are taken to protect nonce unique-ness:
Mitigations:
An additional factor is the cadence Wyng uses to update locally-cached files with counter and timestamp info:
During
sendoperations, archive.ini and archive.ini.salt have cadences of 100 and 20, respectively.Relevant mishaps or attacks include:
The causes of these conditions can be explored below, such as when describing a use case scenario in detail to gain better understanding.
Any 1 or 2 of these occurring in one session would not pose a problem. However, all 3 together might allow a nonce reuse situation if the 80-bit rnd repeats values used alongside a set of timestamps + counter values that were sent during and after the affected archive's latest session/snapshot. This would constitute a type of replay attack.
Recommendations:
When using this mode and the system has either recently crashed during a backup or been reset/reinstalled, use
wyng listand note the 'updated' timestamp. Then, check that your current system time is correct.Next, performing any write operation with
send,prune, etc. will advance the archive metadata so as to remove the possibility of nonce reuse.Or alternately, use a different encryption mode that resists nonce reuse
(not yet implemented)recommended by libsodium for XChaCha20: Either a 192-bit rnd or the hash of a rnd + message concat. The choices here may affect the speed ofsendoperations. See documentation forarch-initon selecting the encryption mode.Constructive comments are welcome!
Possible Future Mitigations:
Automatically place the archive into a read-only mode whenever Wyng must fetch metadata root from remote under certain conditions (no metadata in cache, or when cache is older/newer than remote). To return to write mode, user would have to manually vouch that the system clock is correct, and Wyng would respond by updating the metadata root with the current time. This takes the guesswork (or having to remember recommendation no. 1) out of ensuring the safety of counter mode encryption.
Derive nonces strictly from the plaintext's hash value, with no random component. This could offer an interesting trade-off in safety where the downside is further mitigated by Wyng's hierarchical integrity checks (and the fact that repeated chunks can be known by their dedup hardlinks anyway).
Implement Re-keying.
Related issues and commits:
The text was updated successfully, but these errors were encountered: