Comment by reschlukas10
5 years ago
I think the idea is great, I'm looking for a E2EE photo service already for a long time.
Although I'm not a security expert, I have some worries about your security concept.
1. When the user wants to change the password, all photos&videos have to be reencrypted and uploaded which is absurd for most people because ~100GB of photo-storage is not an exception these days anymore.
2. When your database is leaked, it is very easy to compare with leaked passwords, putting users with reused passwords in great risk.
My proposal:
Masterkey: Random key encrypted with users password
Device A creates a masterkey and short-living rolling keys. Device B creates private/pub keys. If the user wants to add another device (B), he has to enter the current rolling key (from A). Device B sends its public key to Device A, encrypted with rolling key. Device A sends back masterkey encrypted with Device B public key.
en/decryption-key = masterkey decrypted with users password
With this method a database leak would be much less of a problem and a password change much less painful.
1. A user can change their password without re-encrypting any of the uploaded files. Changing the password only changes the encryptedMasterKey that is stored on the server.
2. Hashes of passwords are not stored at our server, and email addresses are stored encrypted.
You can read more about our key-encryption flow here: https://ente.io/architecture#key-encryption
1. Oh sorry, thanks for the clarification
2. How is the email address encrypted? Why would an attacker need a stored hash? In a database leak situation it's possible to get to the data with only a valid email-password combination or am I missing something ? There is no information from a registered device necessary for the decryption right ?