cryptopuck
cryptopuck copied to clipboard
platisd
Crypto modes
You might consider using a different mode than CBC. An authenticating mode, such as CCM would strongly protect against the ciphertext being tampered with. Be aware, however, that the ciphertext will be larger than the plaintext (this is also the case with CBC mode since you have to store the IV).
Also, there is potentially some intelligence potentially available from the size and number of the files. You can attempt to further obfuscate the data by attempting to compress it prior to encrypting it, or padding it with random amounts of random data (although, again, this makes the ciphertext larger). You could also generate random garbage files that are ignored and deleted by the decryption phase. This has the benefit of providing targets for an adversary that would never decrypt properly even with the correct key.
Lastly, I'm not sure I followed the logic fully, but it appears as though the encrypted filename map winds up being identifiable in the encrypted result. This makes it clearly the highest priority target for decryption. You could eliminate the need for it by simply encoding the plaintext file's name in the ciphertext. The process of decryption would extract the filename from the encrypted file and write the plaintext out. The decryption process would just need to make a snapshot of the directory content at the start to avoid attempting to decrypt already decrypted files.
If the pre-encryption file content were, say, a TLV structure of the original file content, its name, any additional metadata, and (perhaps) added junk data for the decrypter to ignore. Then you take that file content and encrypt it with a CCM mode... That, it seems to me, would significantly amplify the strength of your solution.
To begin with, thanks for your feedback, it's greatly valued! :)
Regarding CBC versus CCM: I am admittedly relatively clueless on modern cryptography so I would be interested in learning more about this. Could you provide some sources with reasons on why to consider one over the other? The reason for choosing CBC was primarily it being suggested around the internet.
Regarding compressing the files and adding random data: The problem is mainly with file compression and the USB 2.0 connection. It will unfortunately make the whole process even slower and the Raspberry Pi Zero is already pretty slow as it is. That being said, if hardware was to be upgraded, then I think we should definitely go for a solution like that!
Regarding filenames_map as well as the secret files: Yes, they are indeed identifiable as to their purpose, but, does it really matter? If an attacker can decrypt them then the rest of the files can most likely be decrypted as well. This was the main thought behind keeping it simple and not somehow obfuscating their filenames.
What are your thoughts on these?
CCM: https://en.wikipedia.org/wiki/CCM_mode
What CCM gives you is the ability to detect tampering with the ciphertext. It strongly authenticates the files in addition to encrypting them. CBC won't detect tampering. It will turn a tampered file into garbage starting at the point where the first bit is altered, which in principle is almost as good, but being able to say definitively that a file has not been altered at all between encryption and decryption has some value.
Having the special files not be obfuscated is just an information leak. You're correct that it's likely not a critical one, but it's somewhat of a misreading of Kerckhoffs' principle to suggest that it's unimportant to obfuscate the details of ciphertext. The correct interpretation is that you have to assume that your adversaries know everything except the keys, but that doesn't mean you're obliged to make it easier for them. :)
I was about to switch the mode to CCM however just discovered that CCM is not supported (anymore) by the PyCrypto library that is being used.
Regarding the filenames, I am putting your recommendation up for grabs:
- Obfuscate
filenames_mapfilename so an adversary will not be able to determine its probable contents.