Use a safer encyption algorithm

Bug #825986 reported by Carlos José Ruiz-Henestrosa Ruiz on 2011-08-13
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Syncany
Confirmed
Medium
Unassigned

Bug Description

Actually, the algorithms used by Syncany are too unsafe (only AES and 3DES). It's a huge security bug IMHO.

Syncany should be able to use safer encyption algorithms like PGP (GPG) or AES+Twofish+Serpent.

visibility: private → public

Hello Carlos,

Syncany basically supports all Java-compatible synchronous encryption methods. If we used the Bouncycastle provider, we could use the following algorithms: http://www.bouncycastle.org/specifications.html#install (table in section 5.2)

The rest is just a matter of the UI :-)

Cheers

Changed in syncany:
importance: Undecided → High
importance: High → Medium
status: New → Confirmed
Michael Ekstrand (elehack) wrote :

What's wrong with AES? Properly used (CBC or CTR, good keying, etc.), it's pretty standard for secure deployments and is a FIPS standard.

I have to agree with Philipp here, AES adoption has never convinced me
properly.

Kinda like what is happening in GSM networks, quite convenient IMHO...
Unless it really hurts performance, Syncany should have solid security
features (one of the key points of Syncany is that you can host it on your
own server, hence secure your data, so it should be done in the best way
possible - consider the possibilities for enterprises).

Best regards!

On Tue, Aug 30, 2011 at 6:08 PM, Michael Ekstrand <email address hidden>wrote:

> What's wrong with AES? Properly used (CBC or CTR, good keying, etc.),
> it's pretty standard for secure deployments and is a FIPS standard.
>
> --
> You received this bug notification because you are a member of Syncany
> Team, which is subscribed to Syncany.
> https://bugs.launchpad.net/bugs/825986
>
> Title:
> Use a safer encyption algorithm
>
> Status in Syncany:
> Confirmed
>
> Bug description:
> Actually, the algorithms used by Syncany are too unsafe (only AES and
> 3DES). It's a huge security bug IMHO.
>
> Syncany should be able to use safer encyption algorithms like PGP
> (GPG) or AES+Twofish+Serpent.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/syncany/+bug/825986/+subscriptions
>
> --
> Mailing list: https://launchpad.net/~syncany-team
> Post to : <email address hidden>
> Unsubscribe : https://launchpad.net/~syncany-team
> More help : https://help.launchpad.net/ListHelp
>

I said Philipp but I meant Carlos, as it should be clear...

Sorry for the typo.

2011/8/31 João Almeida <email address hidden>

> I have to agree with Philipp here, AES adoption has never convinced me
> properly.
>
> Kinda like what is happening in GSM networks, quite convenient IMHO...
> Unless it really hurts performance, Syncany should have solid security
> features (one of the key points of Syncany is that you can host it on your
> own server, hence secure your data, so it should be done in the best way
> possible - consider the possibilities for enterprises).
>
> Best regards!
>
> On Tue, Aug 30, 2011 at 6:08 PM, Michael Ekstrand <email address hidden>wrote:
>
>> What's wrong with AES? Properly used (CBC or CTR, good keying, etc.),
>> it's pretty standard for secure deployments and is a FIPS standard.
>>
>> --
>> You received this bug notification because you are a member of Syncany
>> Team, which is subscribed to Syncany.
>> https://bugs.launchpad.net/bugs/825986
>>
>> Title:
>> Use a safer encyption algorithm
>>
>> Status in Syncany:
>> Confirmed
>>
>> Bug description:
>> Actually, the algorithms used by Syncany are too unsafe (only AES and
>> 3DES). It's a huge security bug IMHO.
>>
>> Syncany should be able to use safer encyption algorithms like PGP
>> (GPG) or AES+Twofish+Serpent.
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/sy nncany/+bug/825986/+subscriptions<https://bugs.launchpad.net/syncany/+bug/825986/+subscriptions>
>>
>> --
>> Mailing list: https://launchpad.net/~syncany-team
>> Post to : <email address hidden>
>> Unsubscribe : https://launchpad.net/~syncany-team
>> More help : https://help.launchpad.net/ListHelp
>>
>
>

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers