Pwncloud – bad crypto in the Owncloud encryption module

Hanno's Blog

Monday, April 4. 2016

Pwncloud – bad crypto in the Owncloud encryption module


Trackbacks

efail: Outdated Crypto Standards are to blame
I have a lot of thoughts about the recently published efail vulnerability, so I thought I'd start to writeup some of them. I'd like to skip all the public outrage about the disclosure process for now, as I mainly wanted to get into the techni
Weblog: Hanno's blog
Tracked: May 22, 23:08

Comments
Display comments as (Linear | Threaded)

"The second fix then included a counter of the file and also avoided attacks where an attacker can go back to an earlier version of a file."

It sounds like you might be able to truncate a file, unless they also include & authenticate a 'how many chunks are in the file' indicator, or a 'this is the last chunk' indicator. But you mentioned that earlier as an attack so maybe not.

Two authenticated chunking+streaming protocols I've seen are https://github.com/kaepora/miniLock/blob/master/README.md#-minilock and https://saltpack.org/ - I wish someone would prove their construction.
#1 Tom (Homepage) on 2016-04-04 14:23 (Reply)
Did you look at seafile (one of the main alternatives)? It encrypts client side, which is a big plus and uses C++ Code for the client. I does support server side decryption for the web interface, but this may be delegated to the (C) daemon.
#2 allo on 2016-04-04 19:01 (Reply)
Server side encryption also protects against temporary exposure of speed data, such as a served Beach that is detected and mitigated, or a copy of backups going wandering. Thus, the threat model is somewhat more realistic than you suggest.

Client side encryption before upload would obviously be better for certain other models of cloud storage, of course.

Assuming they include the 8192 byte chunk offset in the CTR IV, protection against moving chunks around would be there, too. (In addition to whatever EtM they do.)
#3 Jon W on 2016-04-11 01:12 (Reply)
It is amazing how many folks would rather invent some broken crypto approach, rather than use a simple working AEAD design like the one in Inferno (http://SecurityDriven.NET/inferno/).
#4 Inferno (Homepage) on 2016-04-11 14:17 (Reply)

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

 
 

About

This blog is written by Hanno Böck. Unless noted otherwise, its content is licensed as CC0.

You can find my web page with links to my work as a journalist here.

I am also publishing a newsletter about climate change and decarbonization technologies.

The blog uses the free software Serendipity and is hosted at schokokeks.org.

Hanno on Mastodon | Contact / Imprint | Privacy / Datenschutz