Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compress, encrypt & verify both userdata & keys #437

Closed
makruz opened this issue Jun 24, 2016 · 1 comment
Closed

Compress, encrypt & verify both userdata & keys #437

makruz opened this issue Jun 24, 2016 · 1 comment

Comments

@makruz
Copy link

makruz commented Jun 24, 2016

Problem:
As it is, Ricochet does not encrypt users contact list or users encryption keys. Anyone who gets access to the Ricochet folders can read all users contact information and steal RSA keys, giving possibility to compromise communication in the future via man-in-the-middle-attacks.

Solution:
Compress, encrypt and verify both userdata and keys stored in Ricochet using AES-128-GCM, derived from user input passphrase via PBKDF2. Decrypt data to memory, only write encrypted data to hdd.

Mitigatin/temporary fix:
Store Ricochet files behind Veracrypt container etc. encrypted location.
@special
Copy link
Member

special commented Nov 3, 2016

Agreed. There's discussion on this in #33. There's nothing blocking encryption for the private key and contacts now, other than actually doing the work :)

@special special closed this as completed Nov 3, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@special @makruz