#SPIDEROAK STORAGE REGISTRATION#
They have a device registration feature that keeps your computer logged in all the time. We would hope that sharing a file requires downloading, decrypting locally and reuploading in the clear and NOT decrypting on the server. Shared files are stored decrypted on their servers a trap for people who may have assumed otherwise. They are based in the USA and as such are subject to the local data protection laws - or lack of. Either they store a hash of the unencrypted data or use the same AES encryption key and salt for the two files. However to the more general question in the title I would say not.
#SPIDEROAK STORAGE PASSWORD#
I've had that happen multiple times.ĭRF is probably correct in that the password is encrypted locally with your private key and not accessible to SpiderOak itself.
Ofcourse it's also possible the representative doesn't really know what he's saying. The first of these seems more likely to be honest, since the overhead for the client otherwise would be quite large. This seems somewhat fishy in the sense that either they do encryption/decryption on their servers (thus it's not fully zero-knowledge) or they send all the data back to you when you change your password and your client reencrypts it. You enter the password, PBKDF2 does it's magic, and voila you decrypt K 1 and then decrypt your data.Įdit: GAH how do I get TeX to work here in my posts?Įdit2.: Rereading the information you got from the representative it actually seems like all new K 1's are also generated. When you then come to a different device, fire up your client and try to retrieve your data, the encrypted data come accompanied by the key encrypted using you new password. Locally these get decrypted by the key generated from the old password, and reencrypted by the key generated from the new password, which gives a new K' 2. So what happens when you change your password? Well the server sends your client all the packages E K 2(K 1)$ for any K 1's it has for your data. When you enter your password, PBKDF2 is used to generate K 2 which is used to decrypt K 1, which is then used to decrypt your data. When you then want to retrieve the data you get the data sent over to you encrypted, and the key sent over to you also encrypted. The package that would then be sent to and stored on the Spider Oak servers would be E K 1(data),E K 2(K 1). It would always be generated on the fly when you want to access your data.
This key K 2 would never be stored anywhere (except client memory). By the preceding ugly description I mean they use the PBKDF2 (Password Based Key Derivation Function v2.) algorithm (using SHA-2) to generate an encryption key from your password.
This key is then encrypted by a key K 2=PBKDF(32 byte salt,password,16384 rounds). This would mean the data is encrypted by some randomly generated key K 1 (on your machine). My guess would be at least 2 levels, but for simplicity let's just assume one. Now going by their response to you, I would assume they have some hierarchy of keys. This data must be encrypted by something. This would mean the application on the client performs all the encryption/decryption operations and only stores the resulting data (and possibly extra encrypted metadata on the server). Given that they claim to be storing your data encrypted and never being able to access it, I would assume the only thing they ever have access to is really the encrypted version of your data. How is a device able to decrypt the newly created password?ĭisclaimer: I have never tried using spider oak so I'm only by going what they claim they do, what they told you they do and what the end result looks like. Pre-computation or database attacks against the key. PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of All keys are encrypted with 256 bit AES, using a key createdįrom your password by the key derivation/strengthening algorithm Each device is able to decrypt theīy changing your password, you have created a new set of encryption
Your password and the encrypted password is sent to the server thenĭistributed to each device. I must point out that if you change your password, these updates willīe detected across all of your machines because SpiderOak encrypts I was quite surprised when I found out the password updated itself automagically.
#SPIDEROAK STORAGE UPDATE#
Because I have SpiderOak installed on computer B as well, I thought I will have to update the password on it so the application can connect to the server. I've recently changed SpiderOak password on computer A.
0 kommentar(er)
