> > Maybe we could build an escrow service that's still in control of the user, > for example by splitting the recovery key using shamir's secret sharing and > assigning each part to a recovery step, with a threshold of 3 to > reconstruct > the recovery key. > > That's hard to do in practice, but solutions that doesn't depend on perfect > infrastructure security will make everyone sleep better at night. >
If I understand you correctly, that's what I'm suggesting; Apple's recovery service isn't able to access the key itself without the user's secret answers. My understanding of their process is: * Take the FileVault recovery key. * Take three user questions; store them on the server. * Take three user answers. Stretch them into a key, kR, presumably with a salt (stored) and associated with the user or device in some way. FileVault is associated with a particular disk and probably with some other particular hardware components, so there are other reproducible inputs here. * Encrypt the recovery key with kR. * Store the result on the server. * Throw away kR. Recovery is: * Identify as the user. * Retrieve the questions. * Solicit the answers and collect other fixed inputs (e.g., disk ID). * Compute and validate kR. * Request the encrypted recovery key. * Decrypt it with kR. Presumably you would rate-limit requests for keys, require some form of auth (AppleID) to request keys, scope such requests, and encourage users to enter reasonably entropy-rich answers. But it's not an escrow service in the traditional only-protected-by-the-law sense, so this isn't just layering defense-in-depth on top of "oops". In a sense, this is exactly what we do for `crypto/keys` on the Sync server: we store the keys that you use to decrypt Sync records, and we store them wrapped by kB, which is a key derived from a secret you know. The bet is that you'll either remember your password (and can thus derive kB), or you can remember your three secret answers (and thus derive kR). Very security-sensitive users will probably opt to not use escrow, or will enter high-entropy strings instead of "Ambulance Driver" :)
_______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
