Hacker News new | past | comments | ask | show | jobs | submit login

Is there a detailed description of the security goals and crypto rationale anywhere?

For example, it seems that if you use scrypt then you get fully authenticated encryption: the message must have come from somebody who knows the password (either a trusted user or you chose a weak password). But if you use X25519 then the scheme used is ECIES, so no sender authentication, only IND-CCA security.

The format document says that if you want “signing“ then use minisign/signify, but I suspect most people want origin authentication. We know that it is actually quite hard to obtain public key authenticated encryption [1] from generic composition of signatures and encryption, with many subtle details. It would be better if age supported this directly for X25519 as it does for scrypt. Unfortunately, you can’t simply use a static key pair to achieve this (as in nacl’s box) as age uses a zero nonce to encrypt the file key with chacha20-poly1305 so reusing a static key will result in nonce reuse. (This seems a bit fragile).

[1]: https://eprint.iacr.org/2001/079

An example of why I think this is important. Adam Langley’s post that is linked from the spec [1] talks about cases where people want to do things like:

    decrypt file | tar xz
Elsewhere in these comments somebody also mentioned the case of

    decrypt file | sh
Presumably the whole point of implementing the STREAM online AEAD mode is to support these kinds of cases; only releasing chunks of plaintext after verification.

But these use-cases are only secure in age when using the scrypt decryption option or if you have first verified a signature over the entire age-encrypted archive (killing the streaming use-case). The reason is that the X25519 age variant provides no sender authentication at all, and so an attacker doesn’t need to tamper with the archive: they can just generate their own ephemeral key pair and replace the entire thing with data of their choosing. Age has no way of detecting such an attack.

You absolutely need origin/sender authentication built directly into the tool to handle these cases securely.

[1]: https://www.imperialviolet.org/2014/06/27/streamingencryptio...

I wrote up some more detailed notes here: https://neilmadden.blog/2019/12/30/a-few-comments-on-age/

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact