[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: AW: [Issue 4145] Master passphrase and encrypted credentials cache

From: Greg Stein <gstein_at_gmail.com>
Date: Tue, 27 Mar 2012 11:46:50 -0400

On Mar 27, 2012 10:10 AM, "Markus Schaber" <m.schaber_at_3s-software.com>
wrote:
>
> Hi, Gregs,
>
> Von: Greg Stein [mailto:gstein_at_gmail.com]
>
> > On Mon, Mar 26, 2012 at 11:45, Greg Hudson <ghudson_at_mit.edu> wrote:
> > >...
> > > Unfortunately, there's more complexity in an encrypted password store
> > >than you probably anticipated, and it's definitely possible to lose
> > >some or most of your intended security properties if you get it wrong.
> > >
> > > The choice of best cipher algorithm today is very simple (AES,
> > > although you'll have to pick the key size from 128/196/256 bits), but
> >
> > AES-256 in CBC mode was my buddy's suggestion.
>
> I hope that expert really is an expert.

Yes, he is. John Viega. Thanks for not trusting me. :-/

>
> Playing with crypto on your own is never a good idea.

I am well aware, thank you. That is precisely why I talked to John about
the scenario in my personal project. He responded with design info for
svn's scenario, but then tweaked his response a bit when I mentioned I had
no master passphrase. IOW, we already have some expert advice for what svn
is trying to do.

> So we really should have good reasons to do it on our own, and then try
very hard to make sure that we do it "right". :-)

What do you think we're already doing?

>...
> We could use some marker-tag or header naming the algorithm, so upgrades
can be done in a future-proof way, but actually implementing one single
algorithm should be enough.

No need for a tag. It is specified by the design. A tag gives you no extra
data.

> > > If you don't use CTR mode, you'll need to pick a reversible padding
> > > function for the plaintext so that it matches a multiple of the
> > > cipher's block size. This is pretty simple.
> >
> > In my wiki update, I mentioned 32 bits of random prefix (makes
dictionary
> > attacks even harder), and pad with NUL characters. AES uses
> > 16 byte blocks, and keys of 16/24/32 bytes.
>
> Padding with NUL characters opens a known plaintext window at the end of
the passphrase. Maybe it's better to pad with random characters.

Then you need a length. Either way, I don't care.

>
> Hmm, I remember someone saying it's not easy to get crypto right, right?
:-)

Oh, shut up already. I know that.

-g
Received on 2012-03-27 17:47:23 CEST

This is an archived mail posted to the Subversion Dev mailing list.