Comments on: Jungle Disk http://www.jwsecure.com/dan/2008/08/28/jungle-disk/ Security, information technology, business Sun, 14 Mar 2010 20:12:42 +0000 http://wordpress.org/?v=2.6.5 By: JungleDave http://www.jwsecure.com/dan/2008/08/28/jungle-disk/#comment-850 JungleDave Fri, 29 Aug 2008 00:52:22 +0000 http://www.jwsecure.com/dan/2008/08/28/jungle-disk/#comment-850 The default to standard (SSL, no bucket password) security is simple: The greatest "risk" to most users is that they forget their password. When that happens there is no recovery and all data is lost. For those users who want added security and can take responsibility for remembering their password, that option is available. Regarding MD5 for key generation - note that it does not simply use a hash of the password (which would limit the key size). Rather, MD5 is used as an input to a PBKDF2 (http://en.wikipedia.org/wiki/PBKDF2) key generation function, which allows you to extract as many bits of key data as needed (randomness limited only by the length of your pass phrase). Of course, most users have no where near 256 bits, or even 128 bits of randomness in their pass phrase, but we don't limit your choice in that area. The default to standard (SSL, no bucket password) security is simple: The greatest “risk” to most users is that they forget their password. When that happens there is no recovery and all data is lost. For those users who want added security and can take responsibility for remembering their password, that option is available.

Regarding MD5 for key generation - note that it does not simply use a hash of the password (which would limit the key size). Rather, MD5 is used as an input to a PBKDF2 (http://en.wikipedia.org/wiki/PBKDF2) key generation function, which allows you to extract as many bits of key data as needed (randomness limited only by the length of your pass phrase). Of course, most users have no where near 256 bits, or even 128 bits of randomness in their pass phrase, but we don’t limit your choice in that area.

]]> By: dan http://www.jwsecure.com/dan/2008/08/28/jungle-disk/#comment-849 dan Thu, 28 Aug 2008 18:55:19 +0000 http://www.jwsecure.com/dan/2008/08/28/jungle-disk/#comment-849 Well, the default lack of a user password is definitely the weakest link. If the user provides a password, it's still probably the weakest link, depending. I'm uncomfortable with calling MD5 "excellent" or "a good choice" in any situation, cryptographic or otherwise, based on what's published, except as a compromise for backward-compatibility. Also, when Jungle Disk switched to AES (I saw an early reference to RC4), MD5 became a bad choice even assuming its best-case collision space. That is, there's a 128-bit (at least) key space cipher with a 64-bit (effective) key space hash. Most would agree that SHA-256 is currently the proper choice for supporting 128-bit keys. And it's supported by both .NET and OpenSSL. Well, the default lack of a user password is definitely the weakest link. If the user provides a password, it’s still probably the weakest link, depending.

I’m uncomfortable with calling MD5 “excellent” or “a good choice” in any situation, cryptographic or otherwise, based on what’s published, except as a compromise for backward-compatibility.

Also, when Jungle Disk switched to AES (I saw an early reference to RC4), MD5 became a bad choice even assuming its best-case collision space. That is, there’s a 128-bit (at least) key space cipher with a 64-bit (effective) key space hash.

Most would agree that SHA-256 is currently the proper choice for supporting 128-bit keys. And it’s supported by both .NET and OpenSSL.

]]> By: JungleDave http://www.jwsecure.com/dan/2008/08/28/jungle-disk/#comment-848 JungleDave Thu, 28 Aug 2008 18:14:34 +0000 http://www.jwsecure.com/dan/2008/08/28/jungle-disk/#comment-848 Thanks for the review! A note on the use of MD5 for key generation - MD5 has been shown to have collisions, which makes it bad for use as a cryptographic signing hash. However, as a hash algorithm it is still considered excellent, which makes it a good choice for key generation. Thanks for the review! A note on the use of MD5 for key generation - MD5 has been shown to have collisions, which makes it bad for use as a cryptographic signing hash. However, as a hash algorithm it is still considered excellent, which makes it a good choice for key generation.

]]>