On Wed, 2012-05-16 at 00:37 +0300, Timo Juhani Lindfors wrote:
> Pierre Jaury <pie...@jaury.eu> writes:
> > Volonturay distributed file sharing
> > This is an opensource, free and viral  project 
> > that aims at providing collaborative distributed
> > storage to users who want to store and share files 
> > temporarily over the Internet.
> Has somebody evaluated the security of this system?
> It seems it is using AES in CBC mode for 32*1024 - 16 byte chunks. Are
> the chunks encrypted independently? If yes, doesn't this mean that it
> has the same weaknesses as ECB mode?

This software is still an early research project: as far as I know, only
basic formal security analysis has been performed.

Yet, for your specific concern about usual AES vulnerability when using
independently encrypted blocks, the project aims at providing temporary
private storage but does not pretend to provide secure operations.

Besides, there is no apparent relation between separately encrypted
chunks held by multiple (dozens) of repositories in normal use case,
which avoids basic risks of crypt-analysis.

Finally, as an anticipation to further concerns (I used to have when
first intending to package vodstok): yes, there may - will for sure, for
security hardening purpose or anything else - be protocol changes. But
most of the protocol is handled in the client part; plus, as long as
provided storage is intended to be temporary (with automatic deprecation
and deletion of old data), it does not sound like fatal for packaging.

By the way, I am quite new at Debian packaging and still asking plenty
of (dumb) questions. Should I package client-only as vodstok (which is
in fact mostly written in Python) and PHP repository separately as
vodstok-server or anything?


Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to