Open KarimPwnz opened 3 years ago
This is a good point to bring up. I'm completely open to discussion, so this seems like a good place to do it.
You're absolutely right that the current implementation isn't really a salt. It's fixed for all journals, and in no way increases the difficulty of a pre-computed attack on a journal file.
In the past, I've sided against moving the salt into the config file (to make it actually a salt) for a few reasons:
--decrypt
and --encrypt
over and over again with the same password, and be confident they'll always be able to decrypt that journal with that password, even if they restore from a backup. If there's a salt in the config, it would change each time --encrypt
is run. So now a user has to keep track of exactly when a backups was taken, and sync the config file with the journal itself. And since the config is most often kept in a separate location from the journal files, we risk a user not backing up the config, and rendering their backups useless.That all being said, I'm not against salts, but would want to be absolutely sure we're addressing all of these points if and when we implement them.
I think my proposal deals with some ideas in points 1 to 3 by storing the salt in the journal instead of the config file. Additionally, for backwards compatibility, I think us changing #1107 already breaks it.
However, I do acknowledge that point 4 is significant: rainbow tables are no longer as feasible; as you said, timestamps do almost act as salts.
Still, pedantically, I disagree on point 5. If it weren't the case that timestamps were prepended, a rainbow table could be generated by running password lists (such as rockyou.txt) through jrnl's encryption function and creating decryption keys. Nevertheless, since point 4 is significant enough, I do not think salting is entirely necessary. Perhaps the only change I could motivate now is to rename the variable from salt
to pepper
. Other than that, you've convinced me.
I think my proposal deals with some ideas in points 1 to 3 by storing the salt in the journal instead of the config file. Additionally, for backwards compatibility, I think us changing #1107 already breaks it.
Yes, you're right. I'm not sure where I got the config file storage in my head from (it must have been an earlier conversation with someone else). Sorry about that!
I do agree that #1107 already breaks it, so if we do implement this, it should be at the same time as that issue. Sounds like we're on the same page about that, but I wanted to clarify it here for anyone that stumbles into this issue.
Still, pedantically, I disagree on point 5. If it weren't the case that timestamps were prepended, a rainbow table could be generated by running password lists (such as rockyou.txt) through jrnl's encryption function and creating decryption keys.
I definitely meant point 5 in context of point 4. Sorry if I wasn't clear about that. This is still a good point to bring up, though, so thank you for that. It's always good to have more sets of eyes on jrnl's security.
Nevertheless, since point 4 is significant enough, I do not think salting is entirely necessary. Perhaps the only change I could motivate now is to rename the variable from
salt
topepper
. Other than that, you've convinced me.
I'm always for more clarity in our codebase, so renaming this pepper is great for now. In the long term (if/when we change the jrnl storage format), we'll either remove it entirely, or add a salt in the file.
Awesome. I'll push the pepper change and some comments clarifying the implementation.
Wait... @wren, I am not sure point 4 is right. Fernet
does have a timestamp as part of the token that it generates, but that has nothing to do with the hash. The timestamp is not meant to add cryptographic strength (it only exists to track expiry, etc.). Further, the timestamp is not involved in the hashing, so dictionary and rainbow table attacks are certainly possible. And on second thought, I am not sure how prepending a timestamp to a hash wouldn't break everything.
As such, I am again convinced that implementing a rotating salt is necessary.
Hrmm, I think I misunderstood how fernet works. Thanks for pointing this out! I think you're right that this merits reimplemenation.
Either way, I'm fine with salts as long as our implementation 1. stores it in the journal file, and 2. we only make the change at the same time as a storage format change.
Since we're discussing changing the storage format in #1107, perhaps we could implement proper salting. Currently, encrypted journals use a hard-coded salt that is passed into
PBKDF2HMAC
. However, it is not technically a salt but a pepper: a salt is unique for every encryption.To implement this, we should store the unencrypted, base64-encoded salt in the journal file—it is not meant to be secret.