[SàT dev] [EN] security update (password encryption)
Adrien
souliane at mailoo.org
Ven 16 Mai 09:48:50 CEST 2014
Hi,
we pushed yesterday some important updates to the repository, including
a database version upgrade. If you are using the development version:
--> Be sure to make a copy of sat.db before you upgrade SàT.
There was a remaining initialisation issue, reproducible under certain
circumstances, which has been fixes. Libervia and the "asyncConnect"
method (used by all frontends) are now forced to wait until the backend
initialisation is fully completed.
The rest concerns security updates. All passwords are now encrypted with
what we call a personal key (PK). This PK is randomly generated only
once per profile, and stored as a private individual value (a parameter
concerning the user, but he can not access / modify it). The PK is
encrypted itself with a new parameter (categroy "General", name
"Password"): the profile password (PP).
The PP is stored hashed in the database, so before retrieving the other
values (also before establishing the XMPP connection) you need to
authenticate your profile. If it works, the rest is transparent, as
everything can be decrypted (in chain) from the PP.
See here a schema about it: http://wiki.goffi.org/wiki/Encryption/en
On new account creation, this PP is left empty for local frontends, and
set to the value of the XMPP password for Libervia.
--> The database upgrade does the following: generate the PK for each
profile, encrypt the XMPP password with the PK, initialise the PP with
the XMPP password plain value and hash it. So your PP is default to the
XMPP password, you need to type it to authenticate your profile. If you
want, you can change the PP to empty value: no more prompt. Libervia
(and any future remote connection frontend) forbid of course to connect
with empty PP.
Repercussions on memory methods:
- Memory.setParam now returns a Deferred
- Memory.asyncGetParamA eventually decrypts the password, its
synchronous version Memory.getParamA would fail on a password parameter
Repercussions on the bridge:
- asyncCreateProfile/asyncConnect takes a new argument "password"
- asyncConnect returns a boolean (True = the connection was already
established, False = the connection has been initiated, failure = wrong
password)
Special note for jp. Option '-c' is not longer a flag but a string to
define the profile password:
- no '-c': same behavior as before, do not connect the profile
- '-c' with not following value: autoconnect and use the default
value '' as profile password
- '-c' with a following value: autoconnect and use that value as
profile password
Note that previous scripts may not work. For example, even if the
profile password for "test1" is empty:
jp disco -p test1 -c contact at host.net
must be changed to:
jp disco -p test1 -c -- contact at host.net
Otherwise, argparse will think that "contact at host.net" is the password
and that the target JID is missing.
Regards,
Adrien
Plus d'informations sur la liste de diffusion dev