passphrase-encrypt the aliases file

[daira]

This would help people who are concerned about the risk of an aliases file being read by an attacker. It would probably use scrypt or similar to drive the key from the passphrase.

[dawuud]

I would really like to help out with this ticket. Would using NaCl?'s SecretBox? like this work? ​https://github.com/david415/hidden-tahoe-backup/blob/master/HiddenTahoeBackup/secretBox.py

Should I be using scrypt here instead of sha256?

def hashPassphrase(passphrase):
    return nacl.hash.sha256(passphrase, encoder=nacl.encoding.RawEncoder)

[daira]

I don't think we want to add a dependency on NaCl. scrypt is a fine choice of PBKDF, though.

[dawuud]

If not NaCl? secretBox then what do you suggest?

[dawuud]

If we are going to encrypt the private aliases file shouldn't we also use a message authenticating code, perhaps an HMAC?

[dawuud]

a rough sketch of the cryptos here combining scrypt and an hmac construction with aes: ​https://github.com/david415/tahoe-lafs/tree/2100.encrypt-aliases-file.0

though i think it's the wrong aes mode; shouldn't it be a stream cipher so that the input can be any length? you can see my unit tests fail because the plaintext length is not a multiple of 16. wtf.

[dawuud]

i added padding and the unit tests pass now.

it occurred to me that typing the passphrase every time an alias is used would get annoying. even more so with key stretching. does resolving this ticket require making an agent?

[daira]

Replying to dawuud:

If we are going to encrypt the private aliases file shouldn't we also use a message authenticating code, perhaps an HMAC?

Yes, we should use authenticated encryption. Encrypt-then-HMAC (e.g. AES-CTR then HMAC) is fine for that.

[daira]

Replying to dawuud:

does resolving this ticket require making an agent?

No.