EncFS Security Audit (opens in new tab)

(defuse.ca)

84 pointsghubbard12y ago43 comments

43 comments

31 comments · 7 top-level

akerl_12y ago· 13 in thread

Does anybody have suggestions for an alternate tool? Preferably one that also encrypts at the file level so that it plays nice with Dropbox and similar services (while obviously providing more security).

nabla912y ago

I use Truerypt and Dropbox. They play well together.

ps. I have repeatedly encountered people who falsely assume that Truecrypt does not allow incremental backups with Dropbox. The thinking behind this seems to be assumption cipher-block chaining (CBC) is used. Truecrypt uses XTS mode.

mike-cardwell12y ago

Does Truecrypt sync changes when a file inside the container is changed, or when the container its self is unmounted? I seem to recall having issues with this a few years ago when I tried it out. Probably something to do with Truecrypt maintaining a filesystem lock or something?

Needless to say, with encfs on Dropbox, files are synced as soon as they are changed.

1 more reply

limmeau12y ago

I don't know whose thinking that is, but when I recommend against Truecrypt on Dropbox, it's because you can't auto-merge two diverging Truecrypt volumes even if the two changesets are unrelated.

rakoo12y ago

Here's a pretty good comparison table:

https://wiki.archlinux.org/index.php/Disk_Encryption#Compari...

tptacek12y ago

This is a frustrating table; it's got irrelevant details (like which of a variety of ciphers are supported) but nothing on what constructions and modes are used, which KDFs are supported, how nonces are handled, &c.

It would be one thing if all these systems used roughly the same XTS construction, like modern full disk encryption systems. But they don't; they use '90s constructions like block-addressed CBC.

akerl_12y ago

Yea, that's what I researched to initially get the idea to use EncFS. I forget why I discounted ecryptfs, it may be because that page doesn't make it look great for cross-platform support.

limmeau12y ago

ecryptfs is also file-level, though more difficult to set up. (The "e" is for "enterprise", so you spend time entering token into keyrings etc).

aroch12y ago

A truecrypted image can be incrementally backed up (changed blocks only)

phaer12y ago

GnuPG can encrypt files and is more secure.

onli12y ago

GnuG can not encrypt files while working on the decrypted files in parallel, can it? That is what I would mean with "working good with Dropbox".

1 more reply

zokier12y ago

Just use full-disk encryption, eg. dm-crypt.

akerl_12y ago

I do use full-disk encryption for my local disk as a whole, but for things inside syncing services like Dropbox, block-level encryption kills a number of the useful features and ends up wasting way more transfer to sync changes.

I know they could potentially do cute de-duping tricks on their end, similar to tarsnap, but even if they passed those space savings on to me I'd still lose the file-level features.

That's why I chose EncFS to begin with, and asked for potential other file-level tools to replace it. Realistically, I'd prefer if this expedited EncFS 2.0 and 2.0 fixed the noted issues.

1 more reply

icebraining12y ago

How does that play nice with Dropbox and similar services?

mmmooo12y ago· 5 in thread

> This report is the result of a paid 10-hour security audit

In just 10 hours? If really so color me impressed. I don't think I've been so productive in 10 hours, ever.

perlgeek12y ago

FWIW it looks to me like this mostly isn't a code review, more of a conceptual review of how stuff is done and stored.

I can imagine that's way faster than doing a thorough code review, though the number of results from 10 hours is still very impressive.

earthrise12y ago

Here's the rough process I followed when I did that audit:

https://defuse.ca/b/hwwW9d3FkPGhM4T6xBIbhf

I think the reason I found so much in only 10 hours is that I had a good set of guesses about what could be wrong, based on what I've seen people get wrong before. From there it was just a matter of prioritizing which guesses to check. I did look at a lot of the code, although it was mostly guess-checking combined with a closer look at the cryptography code.

Because the audit was so short, the quality of the report suffered (ASCII, some mistakes, some severity ratings that I no longer agree with, etc.). My priority was to find as many problems as possible in the amount of time I was given, and then sort that out later.

To answer some other replies: I always report unbilled hours (in this case none), since I think it's dishonest to say you worked less hours than you did. You would essentially be claiming to be more productive than you really are.

tptacek12y ago

That seems to be the case, but I couldn't find any rigorous documentation on the crypto EncFS uses, so I imagine even this level of review required code review (that's also the only way you get a finding like the timing-leaking MAC validator, though I dispute that finding's "Medium" severity and think it's sev:lo).

mmmooo12y ago

Some of it must have required at least some level of code review (e.g. (MACFileIO.cpp, Line 209)). Even so, between the review, and the writeup, etc, if the total 'billed hours' is really ~10, the rather large hourly rates I've seen for such audits do appear much more appetising, at least to me.

1 more reply

Serow22512y ago

Every consultancy/consultant/project is different, but it's unlikely that they sat down with the code at 10AM and sent the report out at 8PM. It's not uncommon for there to be some unbilled hours, for instance if the consultant ends up researching a new technique/vulnerability and they will be able to re-use the knowledge in other projects. So don't feel bad :)

albinoloverats12y ago· 2 in thread

Nice to see this kind of report, even if the conclusion is rather damning.

And it seems to suggest that using it with (something like) Dropbox is a bad idea too:

> EncFS is not safe if the adversary has the opportunity to see two or more snapshots of the ciphertext at different times.

mysteriousllama12y ago

Boxcrypter uses EncFS. Combined with the vulnerabilities discussed in this audit, this is pretty bad.

icebraining12y ago

Boxcrypter uses EncFS.

Not anymore: https://forums.boxcryptor.com/topic/opening-linux-encfs-encr...

1 more reply

SEJeff12y ago· 2 in thread

Moral of the story... Use LUKS.

onli12y ago

How? EncFS is mainly used, at least by me, to store the encrypted files in Dropbox/X while working on the decrypted ones in parallel. Does LUKS support that? The Arch table linked above doesn't make it sound like that.

nodata12y ago

luks is block level, encfs is file level.

mrpdaemon12y ago· 1 in thread

Leaking the file size (Issue 2.2) is due to the way EncFS is architected to work at a file granularity. Adding some random bytes or rounding up to the next block size are small improvements but still leak approximate file size. I don't think anyone would like their 5KB file to occupy 2GB on disk so EncFS sacrifices some level of privacy for practicality. On the flip side this design tradeoff allows EncFS to be used somewhat effectively on top of cloud storage services like Dropbox/GoogleDrive etc. whereas full disk encryption schemes don't work as well.

klodolph12y ago

Issue 2.2 has nothing to do with leaking the file size. It has to do with the encryption algorithm used.

Most modern encryption schemes operate on blocks of a certain fixed size, but if the file isn't a multiple of the block size, you have to do something special with the last block. EncFS apparently uses some made-up scheme for this, instead of using something more standard and well-understood. The common choices would be padding and ciphertext stealing.

http://en.wikipedia.org/wiki/Ciphertext_stealing

fluidcruft12y ago· 1 in thread

Followup eCryptFS audit:

https://defuse.ca/audits/ecryptfs.htm

fulafel12y ago

Contradictory docs, ECB in filename encryption, sounds like nobody has even looked at this before... though maybe it doesn't have that many safe applications even from conceptual PoV, since all metadata is leaked.

ghubbardOP12y ago

What is the current state of EncFS development? The last official release seems to have been in November 2010. Are any of the issues raised by this audit being addressed?

j / k navigate · click thread line to collapse

43 comments

31 comments · 7 top-level

akerl_12y ago· 13 in thread

nabla912y ago

I use Truerypt and Dropbox. They play well together.

mike-cardwell12y ago

Needless to say, with encfs on Dropbox, files are synced as soon as they are changed.

1 more reply

limmeau12y ago

I don't know whose thinking that is, but when I recommend against Truecrypt on Dropbox, it's because you can't auto-merge two diverging Truecrypt volumes even if the two changesets are unrelated.

rakoo12y ago

Here's a pretty good comparison table:

https://wiki.archlinux.org/index.php/Disk_Encryption#Compari...

tptacek12y ago

It would be one thing if all these systems used roughly the same XTS construction, like modern full disk encryption systems. But they don't; they use '90s constructions like block-addressed CBC.

akerl_12y ago

Yea, that's what I researched to initially get the idea to use EncFS. I forget why I discounted ecryptfs, it may be because that page doesn't make it look great for cross-platform support.

limmeau12y ago

ecryptfs is also file-level, though more difficult to set up. (The "e" is for "enterprise", so you spend time entering token into keyrings etc).

aroch12y ago

A truecrypted image can be incrementally backed up (changed blocks only)

phaer12y ago

GnuPG can encrypt files and is more secure.

onli12y ago

GnuG can not encrypt files while working on the decrypted files in parallel, can it? That is what I would mean with "working good with Dropbox".

1 more reply

zokier12y ago

Just use full-disk encryption, eg. dm-crypt.

akerl_12y ago

I know they could potentially do cute de-duping tricks on their end, similar to tarsnap, but even if they passed those space savings on to me I'd still lose the file-level features.

That's why I chose EncFS to begin with, and asked for potential other file-level tools to replace it. Realistically, I'd prefer if this expedited EncFS 2.0 and 2.0 fixed the noted issues.

1 more reply

icebraining12y ago

How does that play nice with Dropbox and similar services?

mmmooo12y ago· 5 in thread

> This report is the result of a paid 10-hour security audit

In just 10 hours? If really so color me impressed. I don't think I've been so productive in 10 hours, ever.

perlgeek12y ago

FWIW it looks to me like this mostly isn't a code review, more of a conceptual review of how stuff is done and stored.

I can imagine that's way faster than doing a thorough code review, though the number of results from 10 hours is still very impressive.

earthrise12y ago

Here's the rough process I followed when I did that audit:

https://defuse.ca/b/hwwW9d3FkPGhM4T6xBIbhf

tptacek12y ago

mmmooo12y ago

1 more reply

Serow22512y ago

albinoloverats12y ago· 2 in thread

Nice to see this kind of report, even if the conclusion is rather damning.

And it seems to suggest that using it with (something like) Dropbox is a bad idea too:

> EncFS is not safe if the adversary has the opportunity to see two or more snapshots of the ciphertext at different times.

mysteriousllama12y ago

Boxcrypter uses EncFS. Combined with the vulnerabilities discussed in this audit, this is pretty bad.

icebraining12y ago

Boxcrypter uses EncFS.

Not anymore: https://forums.boxcryptor.com/topic/opening-linux-encfs-encr...

1 more reply

SEJeff12y ago· 2 in thread

Moral of the story... Use LUKS.

onli12y ago

nodata12y ago

luks is block level, encfs is file level.

mrpdaemon12y ago· 1 in thread

klodolph12y ago

Issue 2.2 has nothing to do with leaking the file size. It has to do with the encryption algorithm used.

http://en.wikipedia.org/wiki/Ciphertext_stealing

fluidcruft12y ago· 1 in thread

Followup eCryptFS audit:

https://defuse.ca/audits/ecryptfs.htm

fulafel12y ago

ghubbardOP12y ago

What is the current state of EncFS development? The last official release seems to have been in November 2010. Are any of the issues raised by this audit being addressed?

j / k navigate · click thread line to collapse