[messaging] Peerio

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Feb 28 16:12:03 PST 2015 

On Sat 2015-02-28 20:46:12 +0100, Trevor Perrin wrote:
> If the attacker spread his bets he'd do better.  For example, the
> milllion-dollar attacker could try a billion common phrases against a
> thousand accounts.  Specialized hardware would be even more efficient.

it's not just testing against a thousand accounts, it's testing against
*all* accounts, including future ones.

An attacker who can try a billion common phrases and can afford the
storage can store the billion generated secret keys indexed by public
key, and keep them forever.  If we assume each secret key and public key
are 32-byte values, and the indexing doubles the size of the storage,
then we're talking about 128 bytes per generated key, so we could fit 8
billion guesses on a single 1TiB hard disk.  (someone please check my
math, i'm short on sleep)

Whenever a new peerio ID shows up, the attacker just looks in their
index for the minilockID, and if they find it, they retrieve the secret
key.  The attacker doesn't even need to even remember the password that
they guessed, since they have derived the secret key already.

Offline dictionary attacks are nasty things.

> Note also that this is a powerful attack - if it succeeds, the
> attacker can log in as you and read your old messages, without needing
> server compromise or traffic interception.

yeah, that's a pretty high-value payoff :(

-------

Reviewing the peerio and minilock specs again, i'm a bit worried that
the peerio server might be able trick the user into decrypting the
decryptInfo piece of any message sent to them -- you've probably thought
of this already though, and i'm not deep enough in the specs (or too
sleep deprived) to see the defense: can you point it out to me?

The attack goes something like this:

 * Alice posts message X to user Bob.  The server knows that X is
   targeted to Bob because Alice has put Bob in the recipients field in
   createMessage.

 * the server extracts the ephemeral value and the (still encrypted)
   decryptInfo value from message X, storing them as E and D
   respectively.

 * the next time Bob requests some authTokens from the peerio server,
   the peerio server claims E as its new ephemeralServerID, and includes
   D as one of the encrypted authTokens.

 * The next request Bob makes, he includes the authToken, which is his
   decryption of D -- that is, he sends the cleartext version of the
   decryptInfo to the server as his next authToken.

I haven't tried to advance this kind of attack to a full decryption of
the message X itself yet.  Is there something in the structure of the
messages that would guarantee this attack would fail?

      --dkg

More information about the Messaging mailing list