On 1/21/2014, 12:40 PM, Brian Warner wrote:
On 1/19/14 9:07 PM, Nick Alexander wrote:
I don't think we need to take any action other than to update the
onepw docs.
Updated.. please let me know if this should be better.
https://github.com/mozilla/fxa-auth-server/wiki/onepw-protocol#crypto-notes
""" There is no MAC on wrap(kB). If the keyserver chooses to deliver
a bogus wrap(kB) or kA, the client might discover the problem a
moment later when it attempts to use the key, or not, depending upon
the high-level protocol. Sync, our first client, uses the tuple of
(email, hash(kB), cert-generation-number) to identify a pool of
stored user data. So Sync clients which receive a corrupt key will
find themselves in an isolated pool, and will believe themselves to
be the only device connected to their Sync account.
It might be useful to add a checksum to kA and wrap(kB) to detect
accidental corruption (e.g. store and deliver kA+SHA256(kA), or
wrap(kB)+HMAC(unwrapBkey, wrap(kB))), but this doesn't protect
against intentional changes, and a MAC on kB would introduce an
additional oracle to feed a dictionary attack. We omit this checksum
for now, assuming that disks will be reliable enough to let us never
experience such failures.
"""
wfm. Thanks, Brian.
Nick
_______________________________________________
Sync-dev mailing list
[email protected]
https://mail.mozilla.org/listinfo/sync-dev
