On 18 Apr 2015 11:34, "Thijs Alkemade" <[email protected]> wrote: > > > > On 18 apr. 2015, at 11:59, Thijs Alkemade <[email protected]> wrote: > > > > > >> On 18 apr. 2015, at 11:42, Georg Lukas <[email protected]> wrote: > >> > >> 1. When a user logs in for the first time, an asymmetric keypair is > >> created (I was thinking of Curve25519, where key creation is almost > >> free). The private key is encrypted with a key derived from the user > >> password / SASL state (https://www.zash.se/mod_storage_encfs.lua.html is > >> a PoC for that). > >> > >> 2. All data that is stored for the user is encrypted with their public > >> key and appended to their "container". > > > > What do you mean with “SASL state”? All of the data the server has after a > > SCRAM-SHA-1 exchange is either a) stored on the server, b) session specific. > > You can’t derive a key from that which the server could not derive on its own. > > Zash pointed out to me that I was wrong. The ClientKey does not change between > sessions, is not stored on the server (during normal operation) and the server > does compute it during login. It could be used to derive a key. >
However it's pretty weak for such usage, and would tie clients into a specific SASL mechanism; I don't see an upgrade path should that mechanism develop an exploit. I think you'd be better off going along with Peter's suggestion that trying to store encrypted archives on the server. > > Thijs
