On Wed, 2012-05-16 at 00:37 +0300, Timo Juhani Lindfors wrote: > Pierre Jaury <pierre@jaury.eu> writes: > > Volonturay distributed file sharing > > This is an opensource, free and viral project > > that aims at providing collaborative distributed > > storage to users who want to store and share files > > temporarily over the Internet. > > Has somebody evaluated the security of this system? > > It seems it is using AES in CBC mode for 32*1024 - 16 byte chunks. Are > the chunks encrypted independently? If yes, doesn't this mean that it > has the same weaknesses as ECB mode? > This software is still an early research project: as far as I know, only basic formal security analysis has been performed. Yet, for your specific concern about usual AES vulnerability when using independently encrypted blocks, the project aims at providing temporary private storage but does not pretend to provide secure operations. Besides, there is no apparent relation between separately encrypted chunks held by multiple (dozens) of repositories in normal use case, which avoids basic risks of crypt-analysis. Finally, as an anticipation to further concerns (I used to have when first intending to package vodstok): yes, there may - will for sure, for security hardening purpose or anything else - be protocol changes. But most of the protocol is handled in the client part; plus, as long as provided storage is intended to be temporary (with automatic deprecation and deletion of old data), it does not sound like fatal for packaging. By the way, I am quite new at Debian packaging and still asking plenty of (dumb) questions. Should I package client-only as vodstok (which is in fact mostly written in Python) and PHP repository separately as vodstok-server or anything? Thanks, Pierre.
Attachment:
signature.asc
Description: This is a digitally signed message part