How does Weave use Cryptography?

I’m back from the EU MozCamp in Prague and we all had a great time! Check out the slides from my talks: Labs Overview and Weave in Depth.

A few people at the MozCamp were interested in Weave’s use of cryptography to protect the user’s data and privacy. Although the specs for the Weave server are available, it may take someone new a while to wrap their head around the whole scheme. I’m going to attempt explaining what crypto operations we do and why we do it in this blog post.

First, let’s get some basic definitions out of the way. Symmetric cryptography means you have one key that can perform both encryption and decryption, and they are complementary operations. For Weave, we use AES with a 256 bit key, and we use it in a mode that requires an ‘initialization vector’ for every decryption. Asymmetric cryptography means there’s a pair of keys (usually called ‘public’ and ‘private’ keys). A piece of text “encrypted” by one key can only be “decrypted” by the other key. Here, we use RSA with a 2048 bit private key.

So, when a user first signs up for Weave using the wizard on their computer, we generate a (random) pair of public and private keys. Next, we use the user’s passphrase to create a symmetric key. This is done using a pretty standard algorithm known as PBKDF2 (short for “Password Key Derivation Function”). The PBKDF2 algorithm requires a ’salt’ value which is also stored on the server. Now that we have a symmetric key, we use it to encrypt the user’s private key and upload it along with the public key to the server. Note that the passphrase is never sent to the server, so if the user’s password ever gets compromised all the attacker can get is their encrypted private key, which really isn’t of much use (especially given that the key is 2048 bits long).

Whenever a particular “engine” is to be synchronized (an engine could be Tabs, Bookmarks, History etc.) we generate a random symmetric key for that engine. This key is then encrypted using the user’s public key (now, one can only retrieve the original symmetric key with the corresponding private key) and uploaded as being associated with a particular engine. All entries (the ‘ciphertext’ property in a “Weave Basic Object”) in that engine are encrypted with the symmetric key that was generated for it.

To make things clear, let’s enumerate the steps we would take to decrypt a single tab object for user ‘foo’:

  1. Find the user’s cluster by making a GET request to https://services.mozilla.com/user/1/foo/node/weave. It returns https://sj-weave06.services.mozilla.com/.
  2. Fetch the user’s encrypted private key and public key from https://sj-weave06.services.mozilla.com/0.5/foo/storage/keys/privkey and https://sj-weave06.services.mozilla.com/0.5/foo/storage/keys/pubkey respectively. The user’s password is required to access these JSON objects.
  3. Ask the user for their passphrase and generate a 256 bit symmetric key from it using PBKDF2 and the ’salt’ found in the privkey object.
  4. Use the generated symmetric key and the initialization vector found in the ‘iv’ property of the privkey object to decrypt the user’s private key.
  5. Fetch the user’s encrypted tab objects from https://sj-weave06.services.mozilla.com/0.5/foo/storage/tabs/?full=1.
  6. Fetch the corresponding symmetric key (the URL is also listed in the “encryption” property of every WBO), in this case https://sj-weave06.services.mozilla.com/0.5/foo/storage/crypto/tabs.
  7. Decrypt the symmetric key with the user’s private key.
  8. Use the decrypted symmetric key to decrypt any WBO from the tabs collection with the initialization vector found in the ‘bulkIV’ property of the tabs symmetric key WBO.
  9. Profit.

A word about the formats in which the keys are actually stored in. All values are Base64. For symmetric keys, the key is stored as-is. For asymmetric keys, I wish we used a standard format like PKCS#12, but we don’t. It’s still ASN.1 though, in some format NSS exports private keys in. You need to do a bit of ASN.1 parsing to figure out the values you’re interested in.

Fortunately, I’ve already figured out most of the details for you – check out my Javascript or PHP implementations of the crypto elements required to decrypt Weave Basic Objects.

Finally, a quick note about why we do all this. Sharing is now reasonably easy, if you want to share your bookmarks with someone, you just need to encrypt the corresponding symmetric key with their public key and they’re good to go. Also, each WBO has it’s own ‘encryption’ property so this can be as granular as needed. Secondly, the passphrase is never stored anywhere (except possibly on the user’s computer) so the server never sees anything other than encrypted blobs of Base64′ed text. Along with making HTTPS mandatory, we think this is a pretty secure way of protecting the user’s data.

If you have other encryption schemes that might fit into Weave’s use cases please let us know! (We’ve already been looking at interesting developments in this area such as Tahoe). I’d also love to hear from you if you have any questions on our current cryptography scheme. We’re constantly trying to improve the security and efficiency of our system so these details are only valid until we change our scheme :-)

Now, go write that third-party Weave client, you have no excuse not to!

Posted by Anant on October 11th, 2009 in FOSS, Mozilla, Programming | 9 Comments

9 Responses

  1. Anonymous remarks on October 12th, 2009 at 7:44 am

    Have you considered supporting a model in which the user’s private key does *not* get stored on the server, but instead gets sneakernetted between the user’s systems? You could still encrypt it with a symmetric key generated from a passphrase, as an added security measure against key compromise, but by not storing it on the server, you avoid the possibility of a passphrase dictionary attack by someone who doesn’t have the key.

    I realize that this model doesn’t prove quite as easy to use for the average user, but for the technically inclined user willing to go to a little extra trouble for security, it seems useful to support.

    Massive bonus points if you support integrating this with the user’s existing GPG key; you could use that to encrypt the Weave private key.

  2. Anonymous remarks on October 12th, 2009 at 7:51 am

    By the way, thank you for your in-depth explanation of Weave’s crypto. I’ve seen overviews before, but you provide several useful details I didn’t know yet.

    I wonder if you would mind explaining one other thing about Weave that I’ve wondered strongly about:

    How does Weave interact with “clear recent history”? If I want to wipe out my last X hours of browsing history, cookies, etc, then how does Weave deal with that? Does it preserve any information? Will other clients properly forget this information as well?

    I assume that Weave does a sensible job if I use Private Browsing mode, and it doesn’t save any information from a Private Browsing session. I’d just like to know what happens if I browse normally and clear recent history afterward.

    Thanks.

  3. Gerv remarks on October 12th, 2009 at 12:32 pm

    I installed Weave recently, and have been really pleased with it.

    But IMO Weave really needs to find a way of only needing one password. Use the hash of one as the other one, split the given password into two halves – whatever. But making people supply both a password and a passphrase is weird and counter-intuitive, and it more than doubles the chance of people forgetting something important.

    Gerv

  4. Anant remarks on October 12th, 2009 at 4:50 pm

    @Anonymous: We have considered providing support for custom user keys, though the focus right now is on a stable and reliable 1.0 release. As for how Weave interacts with “clear recent history”, your history might get synced but the entries will quickly be deleted on the next cycle (the action of clearing recent history would trigger a sync).

    @Gerv: We’re definitely thinking about deriving the password from the passphrase. thunder has been working on a spec: it’s available at https://wiki.mozilla.org/Labs/Weave/WEP/100 (Comments welcome!)

  5. voracity remarks on October 13th, 2009 at 12:11 pm

    I may have misunderstood but does that mean if you share your symmetric key (e.g. for bookmarks) with someone, you can’t revoke it later without regenerating the symmetric key for that component?

  6. Smörgåsbord » Weave: Browser bookmark & password syncing The Right Way remarks on October 18th, 2009 at 1:46 pm

    [...] Details on Weave’s crypto [...]

  7. Mozilla’s Weave and cryptography. « My Blog remarks on October 21st, 2009 at 3:04 pm

    [...] Unfortunately, I didn’t even try building the component due to lack of time. But before bringing my little exploration to a halt, I tried to find some more information about how their cryptography module is utilized by the Weave extension but I didn’t had any luck. However, after a month or so, a friend of mine passed me this wonderful link: How does Weave use Cryptography? [...]

  8. Le blog de Xavier … » Blog Archive » Quoi de neuf cette semaine … remarks on January 16th, 2010 at 11:34 am

    [...] me semble avoir été traitée correctement (pour les curieux et les paranoïaques c’est ICI). Petit rappel : Weave permet de synchroniser bookmarks, historique, mots de passe et paramétrage [...]

  9. Alexander Kriegisch remarks on January 30th, 2010 at 4:23 pm

    I suggest that you or one of your peers create one or more illustrative pics explaining the above article more comprehensively. I know quite something about crypto, but many other uses do not. The illustration could be similar to a UML sequence diagram (http://en.wikipedia.org/wiki/Sequence_diagram) and show which steps happen on the client vs. server side. Who en-/decrypts what, where and when?

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.