[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Duplicity-talk] Stream Vulnerability
From: |
Nate Eldredge |
Subject: |
Re: [Duplicity-talk] Stream Vulnerability |
Date: |
Sun, 31 Aug 2014 09:53:36 -0600 (MDT) |
User-agent: |
Alpine 2.10 (DEB 1266 2009-07-14) |
On Fri, 29 Aug 2014, Jonathan Brown wrote:
Could anyone tell me if Duplicity is vulnerable to stream encryption
vulnerabilities utilizing GPG? This blog post talks about issues affecting
encryption that uses GPG and I would like to know if there is any reason to
be concerned. Thanks
https://www.imperialviolet.org/2014/06/27/streamingencryption.html
Summary of the article: GPG puts signatures, checksums, etc at the end of
encrypted data. Therefore, when decrypting on the fly, the decrypted data
is output before it can be checked for integrity. So a program might work
on data that has been tampered with (e.g. if the data is a tar archive,
unpacking it into the filesystem), and only find out after it is too late
to reverse it (e.g. existing files are overwritten).
I looked into this, and to the best of my knowledge, duplicity is not
vulnerable, for two reasons.
It looks like when restoring, duplicity does decrypt on-the-fly while
processing difftar volumes from the temp directory. However, before
decryption even begins, the volume's SHA1 hash is checked against the
manifest, so a tampered volume would fail at this stage before being
decrypted or unpacked. (If --sign-key is in use, which it should be if
you have concerns that an attacker may be able to modify your backup data,
the manifest will have already had its signature checked.) You would be
left with an incompletely restored backup, possibly including a truncated
file, but there would be no way for an attacker to use this to manipulate
file contents.
Furthermore, even if such an attack could be carried out, it couldn't
cause any damage. duplicity does not allow you to restore on top of
existing data: if the target directory for the restore is not empty, it
aborts. So even if altered data were written before being detected, it
would have been written to a new directory. When the invalid
hashes/signatures were detected and reported by duplicity, you could
simply delete the restore directory, and your existing files would be
intact.
--
Nate Eldredge
address@hidden