End to end encryption, insufficient iterations when deriving master key

[larixer]

Hi There,

Right now according to this code, 1000 iterations is used for PBKDF2 to derive master key for encrypting private RSA key of the user and storing it to the DB: https://github.com/RocketChat/Rocket.Chat/blob/develop/packages/rocketchat-e2e/client/helper.js#L86 Please correct me if I am looking to the wrong place. This weakens protection from offline attacks when adversary has stolen the database and tries to guess user passwords. He can guess password, do 1000 iterations of PBKDF2 to have probable masterkey and then try to decrypt user RSA private key and check if it corresponds to user RSA PublicKey.

According to section 5.1.1.2 of https://pages.nist.gov/800-63-3/sp800-63b.html#sec5 the NIST recommends at least 10000 iterations: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

[geekgonecrazy]

@rocketchat/core what do you guys think? Any reason not to increase iterations?

[rodrigok]

@vlasenko thanks for your report.

But that is not the case, the password is not stored in anyplace, even encrypted, we only store the private key encrypted using the encrypted password, in that case an attacker don't have access to the encrypted password to try to discover the password.

Does this makes sense?

[larixer]

@rodrigok Yes, and iterations count matters for this case. I have described the attack for this case, when you store private key encrypted on the derived master key in the first post of this issue

[rodrigok]

@vlasenko I missed some parts. Ok, I'll take this in consideration.

[larixer]

@rodrigok Thank you!

[rodrigok]

Just describing a possible solution to migrate the ones using 1k iterations:

• Start saving all the keys using 10k
• Try to decrypt the key using 10k when loading from database
  • If not possible try to decrypt using 1k and if successful encrypt it again using 10k and save to the database

[larixer]

@rodrigok Yes, this migration path looks good to me too.

[sampaiodiego]

looks good.. I'll schedule this to the next release.

[GoetheG]

Are thereany news regarding this matter? Istill don't know whether to use the end-to-end-encryption or not. The apps for desktop and mobile say that it's still in alpha status. When will therebe a beta version? Doesanybody havefurther information?

[geekgonecrazy]

@rodrigok With mobile getting e2e support I imagine we are wanting to move e2e forward in status maybe to beta? Should this be addressed?

[rodrigok]

@geekgonecrazy we will not change the status yet, we need to reevaluate everything and make some changes to promote it to a more stable version. The mobile implementation is just a missing part getting support.