Rocket.chat: End to end encryption, insufficient iterations when deriving master key

Created on 19 Dec 2018  路  11Comments  路  Source: RocketChat/Rocket.Chat

Hi There,

Right now according to this code, 1000 iterations is used for PBKDF2 to derive master key for encrypting private RSA key of the user and storing it to the DB:
https://github.com/RocketChat/Rocket.Chat/blob/develop/packages/rocketchat-e2e/client/helper.js#L86
Please correct me if I am looking to the wrong place. This weakens protection from offline attacks when adversary has stolen the database and tries to guess user passwords. He can guess password, do 1000 iterations of PBKDF2 to have probable masterkey and then try to decrypt user RSA private key and check if it corresponds to user RSA PublicKey.

According to section 5.1.1.2 of https://pages.nist.gov/800-63-3/sp800-63b.html#sec5 the NIST recommends at least 10000 iterations:
https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

Planned Triaged e2e improvement
Source
picture larixer
👍7

Most helpful comment

looks good.. I'll schedule this to the next release.

picture sampaiodiego on 17 Jan 2019
👍2

All 11 comments

@rocketchat/core what do you guys think? Any reason not to increase iterations?

geekgonecrazy picture geekgonecrazy on 10 Jan 2019

@vlasenko thanks for your report.

But that is not the case, the password is not stored in anyplace, even encrypted, we only store the private key encrypted using the encrypted password, in that case an attacker don't have access to the encrypted password to try to discover the password.

Does this makes sense?

rodrigok picture rodrigok on 10 Jan 2019

@rodrigok Yes, and iterations count matters for this case. I have described the attack for this case, when you store private key encrypted on the derived master key in the first post of this issue

larixer picture larixer on 10 Jan 2019

@vlasenko I missed some parts. Ok, I'll take this in consideration.

rodrigok picture rodrigok on 10 Jan 2019

@rodrigok Thank you!

larixer picture larixer on 10 Jan 2019

Just describing a possible solution to migrate the ones using 1k iterations:

  • Start saving all the keys using 10k
  • Try to decrypt the key using 10k when loading from database

    • If not possible try to decrypt using 1k and if successful encrypt it again using 10k and save to the database

rodrigok picture rodrigok on 10 Jan 2019
👍2

@rodrigok Yes, this migration path looks good to me too.

larixer picture larixer on 10 Jan 2019

looks good.. I'll schedule this to the next release.

sampaiodiego picture sampaiodiego on 17 Jan 2019
👍2

Are thereany news regarding this matter? Istill don't know whether to use the end-to-end-encryption or not. The apps for desktop and mobile say that it's still in alpha status. When will therebe a beta version? Doesanybody havefurther information?

GoetheG picture GoetheG on 19 Jun 2019

@rodrigok With mobile getting e2e support I imagine we are wanting to move e2e forward in status maybe to beta? Should this be addressed?

geekgonecrazy picture geekgonecrazy on 17 Sep 2020

@geekgonecrazy we will not change the status yet, we need to reevaluate everything and make some changes to promote it to a more stable version. The mobile implementation is just a missing part getting support.

rodrigok picture rodrigok on 17 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Buzzele picture Buzzele  路  3Comments
ghost picture ghost  路  3Comments
lunitic picture lunitic  路  3Comments
sta-szek picture sta-szek  路  3Comments
engelgabriel picture engelgabriel  路  3Comments