Wuala update
After my earlier post concerning Wuala I was contacted by Dominik Grolimund, the CEO of Wuala, who provided me with additional information and asked me to post an update.First, the comment I quoted from Dominik's interview with Allan Stern concerning the CIA and "top secret" was a mistake, and the interview has already been corrected to replace "used by the CIA for top secret files" with "state-of-the-art encryption" (which is a fairly reasonable thing to say about AES at least). I wish reporters were so accommodating when I pointed out mistakes in their stories!
Second, Dominik provided some of the details which, while critical to the overall security of a system, weren't mentioned on the Wuala website:
- Wuala is (currently) using AES-128 in the ECB (electronic codebook) mode of operation, apparently because of its advantage in terms of seekability. This is really bad -- it allows an attacker to recognize repeated blocks of data -- and the same seekability can be obtained by using AES-128 in CTR (counter) mode. (In fact, even cipher block chaining is seekable for reads). Dominik tells me that this will be changed.
- Wuala is using SHA-256 to verify the integrity of files. This sounds good at first, but then the question arises as to how the integrity of the SHA-256 hashes will be verified. Right now it seems that the SHA-256 hashes are being stored on Wuala's servers, along with other file metadata -- which is fine if you trust Wuala, all of Wuala's employees, any data centre technicians who might have access to their servers, et cetera. Obviously I'm a bit skeptical about this, and one of my design principles in tarsnap is that it should never be possible for the server to tamper with users' files. Hopefully Wuala will start signing files directly to fix this problem.
- Apparently Wuala relies upon a key which is generating by hashing a username and password. Obviously weak passwords are a danger, but dictionary attacks can be made far more difficult by using a smarter key generation function -- specifically, one which is slow. The longer it takes to convert a password into a key, the longer it will take for a dictionary attack to work -- and while nobody is going to care if it takes 5 milliseconds instead of 5 microseconds to compute their encryption key from the password they just entered, slowing down an attacker from six CPU-years to six thousand CPU-years in his search for keys with 45 bits of entropy might just make him think twice. It sounds like Wuala will be switching to a slower key generation function soon.
- Key management in Wuala is performed using a nifty but rather complex system called Cryptree. I like the overall design of this system, but I worry that it might be pushing into the realm of "too complex to get right the first time" -- in cryptography, just like every other area of computing, more lines of code inevitably means more bugs and more potential security flaws.
Overall, I can't say that my correspondence with Dominik has made me eager to try out Wuala as it currently exists. On the positive side, as Dominik has pointed out, they're still in alpha testing, and have lots of time to get the security details right before Wuala enters widespread use. Dominik certainly seems interested in fixing the problems (which is more than I can say for certain other people) so we'll have to wait and see -- hopefully the Wuala website will be updated at some point to describe how all of these issues are being addressed, so that Wuala's security can be assessed without needing to get into an email exchange.
UPDATE 2008-11-07: Wuala's security has significantly improved.
Happy birthday Portsnap!
Three years ago today, I announced the availability of the first version of FreeBSD Portsnap. Almost a year later, in August 2005, Portsnap was added to the FreeBSD base system, and since then it has grown to four official mirrors and now supports almost 40 thousand users -- not bad for a three year old. Happy birthday Portsnap!
Wuala: Willful ignorance, or fraud?
Like most people working in the areas of cryptography and computer security, I come across wild and unsubstantiated claims quite frequently. In early 1999, Bruce Schneier famously provided a list of nine signs that you might be dealing with cryptographic snake oil; unfortunately, snake oil has become more sophisticated, and even the crypto-illiterate have become buzzword-literate, so separating the good from the bad has become far more difficult in the past 8 years.Earlier today, I came across an interview between Allan Stern and Dominik Grolimund, the CEO of the online storage and file-sharing startup Wuala. Partway through, I found the following question and answer (italics are mine):
Allen: Can you discuss the security - if I upload files and they are stored on another person's computer, can they access my files?
Dominik: No, they can't, not at all! Privacy is a very important issue for us. All files are encrypted on your computer, before anything is uploaded. All encryption and decryption performed locally (again an advantage if you have software running on the client). Your password never leaves your computer, so that no one, not even our team can see what files you store or share with friends. In Europe, privacy is an important issue and we think that everyone should have a place where he can store files privately. A lot of people are concerned if all their data is stored on servers of big corporations, which is why a lot of users do not use Gmail etc. In our system, everything is encrypted and the encryption is used by the CIA for top secret files.
This brings to mind Schneier's Warning Sign #7 -- Unsubstantiated claims -- and his reference to companies which claim "military-grade" security. Moving to the Wuala website, I find the following edifying paragraph:
Security is a key design issue in Wuala: All files stored in Wuala are encrypted and all cryptographic operations are performed locally. Your password never leaves your computer - so no one, including us, can access your files unless you publish them. Wuala employs the 128 bit AES algorithm for encryption and the 2048 bit RSA algorithm for authentication.
This immediately indicates that Dominik's claim of "used by the CIA for top secret files" is bogus: The US Committee on National Security Systems Policy No.15 states that "TOP SECRET information will require use of either the 192 or 256 [bit] key lengths [of AES]". Since 128-bit AES is not 192-bit AES or 256-bit AES, the cryptography used by Wuala may not be used by any US Governmental agency for top secret files.
More important than what the Wuala website says, however, is what it doesn't say. A block cipher algorithm is only one small component of a complete encryption system: As the aforementioned Policy No.15 comments, "NSA-approved cryptography consists of an approved algorithm; an implementation that has been approved for the protection of classified information in a particular environment; and a supporting key management infrastructure". Even if you're not planning on using an encryption system for protecting classified information, it's worth listening to the NSA; Wuala's security depends on all of the following factors, none of which are disclosed:
- In which mode of operation are they using AES? Some modes (e.g., cipher block chaining) are good; others (e.g., electronic codebook) aren't.
- How does Wuala ensure that initialization vectors (or nonces) will not be reused inappropriately?
- Does Wuala protect the integrity of stored information, in addition to protecting (or trying to protect) the confidentiality of said information?
- How is the AES encryption key generated? If it is generated from a password, what mechanisms are used to prevent dictionary attacks?
- Are the implementations of the encryption primitives used secure against side channel attacks?
- What steps have been taken to ensure that "dumb bugs" (buffer overflows, integer overflows, off-by-one bugs, etc.) aren't exploitable by an attacker?
All told, I think Diminik Grolimund falls more into the category of "willfully ignorant" -- he doesn't understand cryptography, and he apparently hasn't made any attempt to consult people who do. But whether he's deliberately lying about the security of Wuala of actually believes what he claims -- that the encryption used by Wuala is used by the CIA for top secret files -- doesn't really matter in the end: If you care about your data, don't trust him with it.
UPDATE 2007-10-26: See my more
recent post for more information about Wuala.
UPDATE 2008-11-07: Wuala's security
has significantly improved.
Portsnap builds back online
Portsnap builds were offline over the weekend due to a hardware failure. As a result, the portsnap mirrors were not being updated; systems which ran portsnap would update to 2007-09-29 09:40 UTC, and thereafter report "No updates needed / Ports tree is already up to date".The failed hardware has been dealt with and portsnap builds are now running again, so portsnap should now return to being within 1-2 hours of cvsup-master's ports tree.