Assignee
Mikel Olasagasti Uranga
Type
bug
Priority
critical
Status
resolved
Watchers
2

File Format Magic String / Version mismatch between Docs and Source

hannibal218bc avatarhannibal218bc created an issue

According to http://oss.codepoet.no/revelation/wiki/FileFormatSpec, the magic string every Revelation file should start with, is 0x72766ce0427b ('rvl' + 0xe0427b).

According to the source at http://oss.codepoet.no/revelation/src/6e46fd4aa400/src/lib/datahandler/rvl.py , the header is:

header  = "rvl\x00"              # magic string
header += "\x01"                # data version
header += "\x00"                # separator
header += "\x00\x04\x06"        # application version TODO
header += "\x00\x00\x00"        # separator

As I'd like to be able to open Revelation files on my Android device, I'm investigating the creation of such an app and hence I'd need to know the actual file format definition. Thanks!

Comments (7)

  1. hannibal218bc

    (changed bug summary)

    Upon further investigation, I discovered that the current code takes several shortcuts compared to the documented file format that result, in my opinion, in dramatically decreased security of the file's contents.

    To be specific,

    • only the first 32 characters of the passphrase are used (the rest is thrown away!)
    • the passphase is NOT iterated with SHA1 to derive the encryption key, but used directly as the key to the AES encryption. A dictionary attack on an already weak passphrase (e.g. using only ASCII chars) is even easier this way, as there are only 7 bits (or even less) to vary on each character. Also, the number of characters in the passphrase translates directly to AES key bits (or respectively, all-zero parts of the key for the remaining chars to length 32).

    With this differences from documentation to implementation, I'd not recommend using Revelation for sensitive information.

  3. hannibal218bc

    So both the draft and the current implemenation use a "data version" of 0x01, but are otherwise incompatible.

    In any case would I expect a hint that the current implementation's security is significantly weaker than what the proposal documents.

    Anyways, I'd say the current encryption process is flawed and should be ASAP changed to the proposed data format. Perhaps this should be a different issue; in my opinion, the current file format is everything else but a "single, secure place" -- without any key derivation function, there are just too few variable bits in the encryption key.

  5. hannibal218bc

    Sorry I missed that while exploring Revelation. Yes, Jakob's approach seems cryptographically solid to me.

    The only thing I notice is that although the key-salt is a true 256 bit random from salt = os.urandom(32) , the AES-IV is a weaker one consisting only of ASCII bytes from iv = util.random_string(16) . Probably that should be changed to os.urandom(16) , but I guess it wouldn't do much harm if left as is.

    Thanks for your efforts!

    Why hasn't this been fixed yet? This is a serious security problem.

    For example, recent generations of desktop Intel processors can decrypt a 64 byte buffer (enough to test a key) in under 384 cycles [1]. Running 12 threads concurrently on a high-end desktop PC (6 cores, hyper-threaded, 3.9Ghz) could probably average 70 cycles per key tested, so about 55 714 285 keys/second. Checking to ensure we got the expected output would take a bit more time, so let's say we can only test 25 000 000 keys/second (this is a very conservative estimate).

    Now, if we had to test the entire 256 bit key space at that speed, assuming that AES doesn't have any known cryptographic weaknesses (it does, but the effective key size is still considered good enough), it would take, on average, about 10^61 years.

    However, let's assume that the user has entered a simple, say, alphanumeric (a-z A-Z 0-9) password of 8 characters, and revelation has naively appended null bytes without any salt or key stretching. This will take on average a little more than 7 weeks.

    On customised hardware (FPGA) I wouldn't be surprised if this could be cut down to less than a day. Certainly, given the prospects of accessing someone's bank accounts / saleable confidential information (trade secrets/blackmail fodder), I expect a determined cracker would have no qualms about spending a few thousand dollars on high-end computer hardware.

    Even the 10 000 hash iterations done in Jakob Westhoff's fork is probably not enough given how quickly SHA256 can be parallelised in hardware. It would be much more effective to use a memory-intensive key derivation function (even just appending a large fixed string to the key in each hash iteration would greatly increase the security).

    [1] http://software.intel.com/file/27067

  7. Mikel Olasagasti Uranga

    A new encryption system has been implemented using PBKDF2.

    The user will be informed that a the old system is non-secure and advice to save the file with the new format if it opens an old formated file.

    Will do a new release tomorrow after updating some translations.

  8. Log in to comment »
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.