use ChaCha⊕AES encryption #1164
Labels
No labels
0.2.0
0.3.0
0.4.0
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.8.0
0.9.0
1.0.0
1.1.0
1.10.0
1.10.1
1.10.2
1.10a2
1.11.0
1.12.0
1.12.1
1.13.0
1.14.0
1.15.0
1.15.1
1.2.0
1.3.0
1.4.1
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.7β
1.8.0
1.8.1
1.8.2
1.8.3
1.8β
1.9.0
1.9.0-s3branch
1.9.0a1
1.9.0a2
1.9.0b1
1.9.1
1.9.2
1.9.2a1
LeastAuthority.com automation
blocker
cannot reproduce
cloud-branch
code
code-dirnodes
code-encoding
code-frontend
code-frontend-cli
code-frontend-ftp-sftp
code-frontend-magic-folder
code-frontend-web
code-mutable
code-network
code-nodeadmin
code-peerselection
code-storage
contrib
critical
defect
dev-infrastructure
documentation
duplicate
enhancement
fixed
invalid
major
minor
n/a
normal
operational
packaging
somebody else's problem
supercritical
task
trivial
unknown
was already fixed
website
wontfix
worksforme
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: tahoe-lafs/trac-2024-07-25#1164
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
In order to protect against weaknesses in AES (such as timing or side-channel attacks, or cryptanalysis, possibly far in the future and applied against old ciphertexts), want to use a combined encryption of AES-128 and XSalsa20. Yu Xue (Student) and Jack Lloyd (Mentor) are working on implementing that mode for GSoC 2010:
[//trac/pycryptopp/ticket/46 https://tahoe-lafs.org/trac/pycryptopp/ticket/46]
This ticket is to integrate that encryption mode into Tahoe-LAFS. The steps are to define new capability versions, such as by inserting an
Xinto the cap type designator:[//pipermail/tahoe-dev/2010-August/004878.html https://tahoe-lafs.org/pipermail/tahoe-dev/2010-August/004878.html]
[//pipermail/tahoe-dev/2010-August/004879.html https://tahoe-lafs.org/pipermail/tahoe-dev/2010-August/004879.html]
And to make it so that caps of that new type get encrypted/decrypted with XSalsa20+AES-128 instead of with AES-256. For the first release of Tahoe-LAFS which includes that functionality, it will still by default create new caps using the old encryption of only AES-256. It is important that people feel free to upgrade to new versions of Tahoe-LAFS without having to take any steps to ensure backward-compatibility, and that means that the new version of Tahoe-LAFS must not, by default, produce caps that older versions of Tahoe-LAFS (such as v1.8.0) can't read.
[//pipermail/tahoe-dev/2010-August/004936.html This tahoe-dev letter] listed all the places where the source code as of Tahoe-LAFS v1.8.0c1 used encryption. Here are those links updated to current master:
This is inspired by The One-Hundred-Year Cryptography Project.
Upon Samuel Neves's questioning, I added some notes about AES-128 vs. AES-256 for this:
(@@http://tahoe-lafs.org/trac/pycryptopp/ticket/46#comment:-1@@)
I would be interested in the feedback of Jack, Yu Xue, David-Sarah, or Brian about this issue.
Yu Xue contributed a patch to pycryptopp to make it support XSalsa20 and XSalsa20⊕AES-128: http://tahoe-lafs.org/trac/pycryptopp/ticket/46
It's not clear to me that this should go into 1.10, which is going to focus primarily on bug fixes (especially robustifying mutable files and repair behaviour) and accounting. However, I may be persuadable.
Hmm, I see this is explicitly listed as one of the goals for the 1.10 milestone. So, I'll leave it in.
I currently intend to get this landed in trunk for Tahoe-LAFS v1.11.
Replying to zooko:
+1.
We pushed many goals back a release when we decided to have release 1.10 just based on features and bugfixes that were already on trunk. So it is now 1.11 that is going to focus primarily on robustifying share placement and repair behaviour. I suggest that XSalsa+AES support go into 1.12, unless it is ready for 1.11 without slipping the schedule. Note that some design issues about cap format etc. have not been resolved yet.
Replying to daira:
+1
Because of the fact that ChaCha looks like it might become a standard cipher in TLS soon (http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-01), then this makes me think we should use ChaCha instead of XSalsa20 for this.
I opened [//trac/pycryptopp/ticket/15#comment:120943 pycryptopp ticket #94] to track adding ChaCha into pycryptopp.
use XSalsa20+AES-128 encryptionto use ChaCha⊕AES encryptionMilestone renamed
renaming milestone
As part of the programme of reducing our cryptography library dependencies (and getting out of the business of writing C/Python wrappers ourselves), I think we should move away from pycryptopp and use 'cryptography' (which Tahoe-LAFS already depends on via pyOpenSSL >= 0.14) where possible. It doesn't look like cryptography supports ChaCha20 unfortunately; we could either fix that, or use pysodium for that instead.
Moving open issues out of closed milestones.
Ticket retargeted after milestone closed