Jump to content
ragge

Open and globally settable network security

Recommended Posts

1. The networking security measures, meaning the client key, crypto algorithm, key exchange mechanisms, and whatever other things that apply, are undocumented, and there are reasons to believe that they haven't changed much for decades. How do I know that they are acceptable for my use? I believe that the mechanisms in use should be well documented and open for review by the user. I am only talking about an overview in textual form, though the actual source code would of course be even better.

 

2. The setting for network communication encryption should be a global one and not a separate setting for each client. It is very easy to forget to tick that box on a client. Maybe there should be an option for overriding the default setting on a client, but the default should be globally settable.

 

/ragge

 

 

Share this post


Link to post
Share on other sites

If you use Link Encryption, then Retrospect uses the SimpleCrypt method of encryption which is described in detail in the knowledgebase.

 

As far as client security in general, a huge security overhall was just completed to all client platforms, which is why we released updates to the client on all platforms. The new client adds a new internal layer of encryption to protect computer specific details and client passwords. This is also why the new client does not work with old versions of Retrospect.

Share this post


Link to post
Share on other sites
If you use Link Encryption, then Retrospect uses the SimpleCrypt method of encryption which is described in detail in the knowledgebase.

 

Thanks! I haven't found any really detailed explanations, but from what I have found it seems it isn't very secure. The only mention of key handling that I have found seems really worrying, though it is hard to tell without any details.

 

It there any plans to replace the over-the-network encryption with anything stronger?

 

As far as client security in general, a huge security overhall was just completed to all client platforms, which is why we released updates to the client on all platforms. The new client adds a new internal layer of encryption to protect computer specific details and client passwords. This is also why the new client does not work with old versions of Retrospect.

 

That sounds very good! Will there be any documentation on how it works?

 

/ragge

 

 

Share this post


Link to post
Share on other sites

I first want to thank you for being active in the support forum and answer user's questions! This is very positive, I think.

 

 

This is worrying information number one. Vernam crypto is, as far as I know, a one time pad crypto. How that could be converted into cipher block chaining crypto and still be even the slightest secure is beyond my (rather limited) understanding. It also says that there are 4*10^9 different keys. That sounds like a ridiculously low number. I really don't want to be impolite or anything, but without further details, Simplecrypt seems quite untrustworthy. There aren't many proprietary or homebrew crypto systems that actually stand a review. Especially not older ones. And even if the crypto algorithm in itself is quite good, implementors often do other mistakes in how keys are generated or handled, or other similar errors, that makes it simple or trivial to crack.

 

A switch to AES or similar for network encryption would be a natural move, IMHO. A good key generation scheme is of course still needed.

 

 

But is says very little or nothing about how keys are generated or handled and such. This is rather a paper describing it from a user perspective.

 

Documentation on the client security changes will be posted in our KB soon.

 

I am looking forward to that!

 

/ragge

Share this post


Link to post
Share on other sites

Simple Crypt has been a proprietary encryption used by Retrospect for about 20 years. It is not as secure as AES but no know hacks have ever taken place with this encryption method.

 

AES encryption is being considered for link encryption in future versions.

 

Right now Retrospect supports AES-256 encryption for backup set data and it has been certified by NIST. At the time of certification, Retrospect was (and may still be) the ONLY backup software with media encryption to meet the NIST standards.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×