[guardian-dev] Remote wipe for CacheWord?

Michael Rogers michael at briarproject.org
Wed Sep 10 08:05:01 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi all,

I've been thinking about a way to implement remote wipe for mobile
apps with encrypted local storage. The idea isn't suitable for Briar
because it requires internet access, but I thought it might be a
useful addition to CacheWord. Probably someone's already thought of a
better way to do this, in which case please ignore this message.

Briefly, the idea is to derive the storage encryption key from three
things: something the user knows (a password), something stored on the
device, and something stored in the cloud. By revoking access to the
thing stored in the cloud, the user or someone they trust can deny
access to the encrypted local storage, even if the adversary has
access to the device and everything the user knows.

We need a cloud service that supports three API methods: create, get
and delete. The API is accessed over HTTPS with certificate pinning.

The create method generates a random username, password and nonce,
stores them on the server, and returns them to the client. This method
is used when the app creates its encrypted local storage.

The get method takes a username and password and returns the
corresponding nonce to the client if the username and password are
valid. This method is used when the app unlocks its encrypted local
storage.

The delete method takes a username and password and deletes the
corresponding nonce if the username and password are valid. This
method is used by the user or someone they trust to deny access to the
app's encrypted local storage.

There are various ways to derive the storage encryption key from the
password, the nonce and something stored on the device. Two simple
ways spring to mind:

1. Use the nonce as the PBKDF salt (not stored on the device). Use the
PBKDF-derived key to encrypt and authenticate the storage key.

2. XOR the PBKDF-derived key with the nonce, and use the resulting key
to encrypt and authenticate the storage key.

Either way, an adversary without access to the nonce can't tell
whether they've got the correct password.

The get method could optionally be used to backup the nonce before
wiping, in which case the storage could be 'unwiped'. But that creates
new risks for whoever holds the backup.

Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJUED5tAAoJEBEET9GfxSfMAZcH/iXY9y8l6Pf5Gsusp6wHouwJ
pRXm4XRXyihU+IFH7aAi+0Ea8BrdVyK85deGx7kWmh5FwXeIlbiejUz/dTAavPH+
8xqVj8jiQJesjCSp5hTqwxgzf0McB91pqrNclLZY75N8GdI+9xk7QCBFHKtL1Zxh
e+i9MEGHax11TmD/rmXSgkdWVqSAS3Uqori3LjpCBaZ9BL+87HUvUfpu1nCp54d/
6XPgCuo1XFzn50bDYJzS7krITaDcvpYc3TwrMLGyKifvquzgJRVJdS8V7iz0J1OC
J7ujOBxUf3OwB6VsSdgQqbTDh2yuqMk8rAFXKbHUqC6npLr18kMc9l8DzaXJXr8=
=dcLG
-----END PGP SIGNATURE-----


More information about the Guardian-dev mailing list