[SàT dev] [EN] security update (password encryption)

Adrien souliane at mailoo.org
Ven 16 Mai 09:48:50 CEST 2014 

Hi,

we pushed yesterday some important updates to the repository, including 
a database version upgrade. If you are using the development version:

--> Be sure to make a copy of sat.db before you upgrade SàT.

There was a remaining initialisation issue, reproducible under certain 
circumstances, which has been fixes. Libervia and the "asyncConnect" 
method (used by all frontends) are now forced to wait until the backend 
initialisation is fully completed.

The rest concerns security updates. All passwords are now encrypted with 
what we call a personal key (PK). This PK is randomly generated only 
once per profile, and stored as a private individual value (a parameter 
concerning the user, but he can not access / modify it). The PK is 
encrypted itself with a new parameter (categroy "General", name 
"Password"): the profile password (PP).

The PP is stored hashed in the database, so before retrieving the other 
values (also before establishing the XMPP connection) you need to 
authenticate your profile. If it works, the rest is transparent, as 
everything can be decrypted (in chain) from the PP.

See here a schema about it: http://wiki.goffi.org/wiki/Encryption/en

On new account creation, this PP is left empty for local frontends, and 
set to the value of the XMPP password for Libervia.

--> The database upgrade does the following: generate the PK for each 
profile, encrypt the XMPP password with the PK, initialise the PP with 
the XMPP password plain value and hash it. So your PP is default to the 
XMPP password, you need to type it to authenticate your profile. If you 
want, you can change the PP to empty value: no more prompt. Libervia 
(and any future remote connection frontend) forbid of course to connect 
with empty PP.

Repercussions on memory methods:
     - Memory.setParam now returns a Deferred
     - Memory.asyncGetParamA eventually decrypts the password, its 
synchronous version Memory.getParamA would fail on a password parameter

Repercussions on the bridge:
     - asyncCreateProfile/asyncConnect takes a new argument "password"
     - asyncConnect returns a boolean (True = the connection was already 
established, False = the connection has been initiated, failure = wrong 
password)

Special note for jp. Option '-c' is not longer a flag but a string to 
define the profile password:
     - no '-c': same behavior as before, do not connect the profile
     - '-c' with not following value: autoconnect and use the default 
value '' as profile password
     - '-c' with a following value: autoconnect and use that value as 
profile password

Note that previous scripts may not work. For example, even if the 
profile password for "test1" is empty:
   jp disco -p test1 -c contact at host.net
must be changed to:
   jp disco -p test1 -c -- contact at host.net
Otherwise, argparse will think that "contact at host.net" is the password 
and that the target JID is missing.

Regards,
Adrien

Plus d'informations sur la liste de diffusion dev