ragge Posted July 8, 2008 Report Share Posted July 8, 2008 1. The networking security measures, meaning the client key, crypto algorithm, key exchange mechanisms, and whatever other things that apply, are undocumented, and there are reasons to believe that they haven't changed much for decades. How do I know that they are acceptable for my use? I believe that the mechanisms in use should be well documented and open for review by the user. I am only talking about an overview in textual form, though the actual source code would of course be even better. 2. The setting for network communication encryption should be a global one and not a separate setting for each client. It is very easy to forget to tick that box on a client. Maybe there should be an option for overriding the default setting on a client, but the default should be globally settable. /ragge Quote Link to comment Share on other sites More sharing options...
Mayoff Posted July 8, 2008 Report Share Posted July 8, 2008 If you use Link Encryption, then Retrospect uses the SimpleCrypt method of encryption which is described in detail in the knowledgebase. As far as client security in general, a huge security overhall was just completed to all client platforms, which is why we released updates to the client on all platforms. The new client adds a new internal layer of encryption to protect computer specific details and client passwords. This is also why the new client does not work with old versions of Retrospect. Quote Link to comment Share on other sites More sharing options...
ragge Posted July 9, 2008 Author Report Share Posted July 9, 2008 If you use Link Encryption, then Retrospect uses the SimpleCrypt method of encryption which is described in detail in the knowledgebase. Thanks! I haven't found any really detailed explanations, but from what I have found it seems it isn't very secure. The only mention of key handling that I have found seems really worrying, though it is hard to tell without any details. It there any plans to replace the over-the-network encryption with anything stronger? As far as client security in general, a huge security overhall was just completed to all client platforms, which is why we released updates to the client on all platforms. The new client adds a new internal layer of encryption to protect computer specific details and client passwords. This is also why the new client does not work with old versions of Retrospect. That sounds very good! Will there be any documentation on how it works? /ragge Quote Link to comment Share on other sites More sharing options...
Mayoff Posted July 9, 2008 Report Share Posted July 9, 2008 Please see: http://kb.dantz.com/article.asp?article=6479&p=2 http://kb.dantz.com/article.asp?article=1147&p=2 Documentation on the client security changes will be posted in our KB soon. Quote Link to comment Share on other sites More sharing options...
ragge Posted July 10, 2008 Author Report Share Posted July 10, 2008 I first want to thank you for being active in the support forum and answer user's questions! This is very positive, I think. Please see:http://kb.dantz.com/article.asp?article=6479&p=2 This is worrying information number one. Vernam crypto is, as far as I know, a one time pad crypto. How that could be converted into cipher block chaining crypto and still be even the slightest secure is beyond my (rather limited) understanding. It also says that there are 4*10^9 different keys. That sounds like a ridiculously low number. I really don't want to be impolite or anything, but without further details, Simplecrypt seems quite untrustworthy. There aren't many proprietary or homebrew crypto systems that actually stand a review. Especially not older ones. And even if the crypto algorithm in itself is quite good, implementors often do other mistakes in how keys are generated or handled, or other similar errors, that makes it simple or trivial to crack. A switch to AES or similar for network encryption would be a natural move, IMHO. A good key generation scheme is of course still needed. http://kb.dantz.com/article.asp?article=1147&p=2 But is says very little or nothing about how keys are generated or handled and such. This is rather a paper describing it from a user perspective. Documentation on the client security changes will be posted in our KB soon. I am looking forward to that! /ragge Quote Link to comment Share on other sites More sharing options...
Mayoff Posted July 10, 2008 Report Share Posted July 10, 2008 Simple Crypt has been a proprietary encryption used by Retrospect for about 20 years. It is not as secure as AES but no know hacks have ever taken place with this encryption method. AES encryption is being considered for link encryption in future versions. Right now Retrospect supports AES-256 encryption for backup set data and it has been certified by NIST. At the time of certification, Retrospect was (and may still be) the ONLY backup software with media encryption to meet the NIST standards. Quote Link to comment Share on other sites More sharing options...
Mayoff Posted July 17, 2008 Report Share Posted July 17, 2008 Documentation on the client security changes will be posted in our KB soon. http://kb.dantz.com/article.asp?article=9692&p=2 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.