tl;dr Drastic changes to Sync have been proposed, including to the
end-to-end security model. A series of posts will detail the main areas
for change and call for feedback to help shape these changes. This
specific post details how the security model of Sync will change to
support integration with Persona.
---
2012 is shaping up to be a significant year for Sync! We have a number
of important decisions to make and would like to collect as much
feedback as possible to help shape the direction of this important feature.
The topic is split into multiple posts to make the discussion easier to
follow. This part focuses on integrating Sync with Persona (Persona is
the Mozilla instance of the BrowserID authentication protocol). But
first, an overview.
Context for Change
==================
The subjects in these posts are driven by a number of factors.
First, we have the user experience of Sync. It's hard to use. User
studies have shown that many people don't grok the Sync setup and
pairing process (especially the latter). This is partially a side-effect
of the original design of Sync, which placed security and user
sovereignty over their data as the main goals (more important than user
experience).
Second, a new "sign in to the browser" feature is on the roadmap [1].
We believe it is in the best interest of the majority of our users to
have Sync "just work" with that. Furthermore, we believe that "sign in
to the browser" without Sync isn't a very compelling feature.
Third, the Services team is working on the next version of the storage
service used by Sync — version 2.0 [2]. This version addresses a number
of deficiencies with the current 1.1 version of the server and is
necessary to provide a better feature.
Fourth, there are a number of warts in Sync's current implementation
that we have been itching to correct. Some of these are backwards
incompatible and so we have been holding off until an opportunity arises
to address them without additional impact.
Persona Integration
===================
The solution we propose to address the user experience deficiencies and
integration with "sign in to the browser" is integration with Persona
(BrowserID). Persona integration will involve two separate, but related
changes: how users authenticate with the Sync server and how the root
Sync encryption key is managed.
Sync Today
==========
To better understand the proposal, it will help to have an understanding
of how Sync works today.
When you initially sign-up for Sync, you create a Mozilla Services
account by specifying an email address and password. We call this
username and password your Sync credentials. All communication with the
Sync server is secured via TLS (HTTPS). All HTTP requests use HTTP Basic
Auth with your Sync credentials to prevent unauthorized access to your
server-stored data. This methodology should be familiar to anyone who
has had experience running an HTTP server.
Now, it gets more complicated.
When you create your Sync account, your machine generates a
cryptographically-secure 128-bit random number. We refer to this 128-bit
random number as your Sync Key.
We use HKDF [3] on your Sync Key to derive two 256-bit keys. One of
these keys is used for symmetric AES-256 encryption; the other for
HMAC-SHA256 message verification. I will spare you from all the
low-level details. Just know that *all* user data is encrypted *locally*
with this key pair (or similar full-entropy 256-bit key pairs) then
uploaded to the Sync server. All encrypted data on the server is chained
to your 128-bit Sync Key. All encrypted data on the server is encrypted
with full-entropy 256-bit keys. Full technical details are available at [4].
Your Sync Key or the derived pair of 256-bit keys is *never* transmitted
to the Sync server or Mozilla (at least in any form they can read — more
later). This means that the Sync server can withstand a full data breach
with only minimal metadata being compromised. The most someone with the
data could ascertain would be modified times, record counts, sizes,
access times, etc. The unencrypted IDs of records on the server are
randomly generated on the client, so even they can't be used to
determine what a specific records corresponds to. Cracking your data
would require a brute-force attack over 128 bits of permutations. This
is statistically impossible.
In short, you need the 128-bit Sync Key to read data stored on the server.
The Sync Key is 128 bits for historical reasons. In the old days of
Sync, people needed to manually type their Sync Key to pair devices. We
use a modified base32 encoding for Sync Key presentation purposes (to
prevent character confusion and so there are no capital characters to
worry about). This requires 26 characters. If we used a 256 bit key,
that would require 52 characters. And, if we wanted a pair of 256 bit
keys, that would require 104 characters! 26 characters was the most we
wanted to ask our users to type, so we have a 128-bit root key.
We thought we could do better on the user experience front, so we
introduced J-PAKE for the pairing setup [5]. With J-PAKE, the user is
presented 12 random characters. These 12 characters (a one-time transfer
code) are entered on another device and the two machines create an
encrypted channel between them (through a central brokering server). The
Sync credentials, Sync Key, and server info are transmitted to the other
client and the new device is paired. Even though data passes through a
central brokering server (which is typically operated by Mozilla), data
is encrypted end-to-end, so even the server can't see what's passing
through. i.e., the Sync Key is not made available to any other party.
With J-PAKE, the user needs to enter only 12 characters instead of 26.
The Sync Key is also hidden from the user (which is good, because we
find that some users do things like email the Sync Key or upload it to
an unencrypted cloud storage service, undermining the security of Sync
in the process). One downside is users need to have simultaneous access
to both devices for the pairing. This isn't always possible. Also,
people are confused by it. They just don't understand what is going on.
Passwords they get. One-time pairing sequences, not so much. Of course,
users still have the option to transpose the key manually (available
behind an advanced settings link).
When we switched to J-PAKE, we could have gotten rid of the 128-bit Sync
Key and replaced it with a pair of 256-bit keys. However, we deemed the
engineering effort was too high to accomodate our schedule at the time.
And, having manual key entry as a fall-back was nice-to-have (for
connecting two devices that aren't both in front of you, for example).
And, a 128-bit key was backwards compatible. And, 128 bits of entropy
for a root key was still pretty good. So, we stuck with a 128-bit Sync
Key with derivation to a pair of 256-bit keys.
Now that you have a basic overview of how Sync works, let's talk about
the proposed changes.
Persona for Authentication
==========================
For Persona integration, we would replace Mozilla Services accounts with
Persona. This means that the Sync server will authenticate clients with
BrowserID assertions, not HTTP Basic Auth with your Mozilla Services
credentials. If you are curious about the implementation details, see [6].
This change would mean that users will need a Persona account to use
Sync. For existing Sync users, we'll likely have some kind of UI in the
browser to prompt you to create a Persona account , possibly with the
same email address used for the Mozilla Services account — we haven't
finalized details yet.
Proposal for Sync Key Management
================================
The larger change for Persona integration would be how your Sync Key is
managed.
First, we propose doing away with the 128-bit Sync Key and HKDF
derivation of a pair of 256-bit keys. Replacing it will be a pair of
randomly-generated 256-bit keys. (We've wanted to do this for a while.)
This effectively increases the maximum achievable cryptographic security
of Sync since we would be using true 256-bit keys rather than those
derived from a 128-bit key. More details are available in part 2 of this
post.
The second change for Persona integration deals with how the Sync Key is
secured and stored. The proposal is for Sync to leverage a "key
wrapping" facility provided by Persona. Full details about Persona key
wrapping are available at [7]. In summary, your Persona account has
associated with it a pair of randomly-generated keys (just like Sync).
This key pair is called the [Persona] User Key, or UK. Persona provides
APIs that can be used to "wrap" and "unwrap" arbitrary pieces of data.
This is just a convenient way of saying that Persona encrypts and signs
(or verifies and decrypts) data with the UK.
When you create a Sync account, the Sync client would generate a random
key (just like today). It would then call a Persona API on the client to
"wrap" your Sync Key. Persona would return a blob of data that is
wrapped/encrypted/signed with the UK. The wrapped Sync Key would then be
uploaded to the Sync server.
When a new Sync client needs to access your data, it would log in to
Persona, fetch the wrapped Sync Key from the Sync server, then hand off
the wrapped data to Persona and get back the original Sync Key. The Sync
client would then proceed like normal. No device pairing. No need to
have two devices in physical proximity. No additional UI. You just log
in to Persona and your Sync-managed data is magically available.
So far, the security model is isomorphic to the world without Persona:
we have keys rooted to a pair of randomly generated 256-bit keys. The
only difference is we have an extra layer of key chaining and the next
link (the Sync Key) is also stored encrypted on the Sync server. No big
deal.
This means we push the problem of managing the root key out of Sync and
into Persona. And management of the Persona UK is where things get
interesting again.
Persona User Key Management
===========================
In order to facilitate Sync "just working" after logging in to Persona,
the UK will need to be stored centrally. If the UK is not stored
centrally nor always available, you are back to Sync's usability issues
around pairing: you'd need some way to transmit the UK between clients.
So, how do we plan to store the UK centrally? The general plan is to
encrypt the UK on the client before it is uploaded to the Persona server
for storage. How, exactly, we're not sure yet.
The minimum proposal is to use PBKDF2 of your Persona login credentials
(i.e., your Persona password) to derive a a password key (PWK). Then,
we'd use the PWK to encrypt and sign the UK before uploading it to the
server. Any client with the Persona credentials could download the
encrypted UK from the Persona server and decrypt it with the PWK. On top
of that, the current proposal is for Mozilla to be the only entity
within the BrowserID ecosystem that stores encrypted UKs. Even IdP's
(which you trust to issue credentials to you) wouldn't have this
information.
When we consider this proposal with Sync, it means that everything would
effectively be chained to a user-supplied password, not a 128-bit Sync Key.
Trying to Appease Everyone
==========================
Usability and security are often at odds with each other and different
people prefer to sit at specific points in this spectrum. No matter what
decision we make, we understand it will be impossible to satisfy
everyone. Even today, with Sync's security model where the server
operators (Mozilla for the default Sync server in Firefox) only have
access to limited metadata (common to just about every hosted service),
there are people who insist on running their own Sync server for privacy
and/or security reasons (see [8] for instructions for running your own
server). There's nothing wrong with doing that or holding that belief.
And, it should not be discouraged.
The general rule is we tailor Firefox to 80% of the users. And today,
80% do not grok Sync's setup process. Since Firefox is expanding to more
mobile devices, where Sync is a must-have feature (for many at least)
and since we wish for people to be able to log in to a "cold" browser
and have access to their data, we need to change Sync so it is usable
without additional setup complexity. This, unfortunately, means reducing
the end-to-end security in the /default/ case.
I want to explicitly state that even though the end-to-end security
would be weakened, it would still be pretty good. We're not talking
about storing your data unencrypted or making your encryption keys
easily available. We feel the end state of this shift is still well
within the acceptable range of most people. Only those in the "more
paranoid" end of the spectrum would "lose coverage."
It would be hard to let these security-minded people go. And, I hope it
doesn't come to that. Above, I mentioned a "default case" for the
security settings. I say "default case" because I (and many others)
insist that users who want to sit at the more secure end of the security
spectrum have that choice, especially since that is where they are now.
I (and many others) believe it would be ethically wrong to ship a
Firefox that permanently eroded Sync's data security protections on
which people have come to rely. To these people who love Sync today
because in a world where your user data is often uploaded unencrypted
and used for behavioral analytics ("you are the product"), Firefox
Sync's model of strong client-side encryption stands out from the crowd
and is rewarded with your patronage: you deserve continued support for
the existing (if not better) level of security.
I (and a lot of other people), are committed to allowing Sync users to
maintain the current level of security while we make the transition to
Persona. I'm not sure exactly how we're going to do that yet. Maybe
there are about:config-only preferences to prevent your Sync Key from
being wrapped with your Persona UK. Maybe Persona has options to control
the minimum encryption levels for the UK. Maybe UK escrow can be
disabled. Maybe we keep the J-PAKE server running and have the Sync
pairing UI somewhere in an advanced settings dialog. Maybe we could use
J-PAKE for the UK. Maybe we require a second set of credentials to
unlock the UK. Maybe accounts have multiple UKs with different security
settings. Maybe we give users the choice between usability and security
when initially configuring Sync or UK management. I don't know yet.
What I can tell you is that a lot of people are thinking about
solutions. And at this point, everything (within reason) is on the table.
We would like to foster a discussion on this subject. If you have any
ideas or opinions, please speak up!
More Secure than PBKDF2
=======================
Above, I mentioned that the current minimum security proposal is for the
Persona UK to be encrypted using a PBKDF2-derived key from your Persona
password. While this is certainly more secure than using no client-side
encryption, it isn't as good as we would like.
A number of people have been losing sleep over how we can do better.
Brian Warner is probably the most sleep-deprived of the lot. His first
proposal is at [9]. If you have an interest in making Persona's key
wrapping facility as secure as possible, please look at his work.
If you are a security or crypto expert, this is a particular area where
your input would be most valuable. Please dump your brain so we can make
the best decision for our users.
Conclusion
==========
Switching Sync to use Persona to support log in to the browser [through
passphrases] — which will enable a better web experience — will involve
weakening Sync's end-to-end security model.
We are looking for input to help minimize the security tradeoff being
made with the transition to better usability. We are also keen to retain
support for the existing level of end-to-end security and would like to
foster a discussion around the best ways to accomplish this.
Happy syncing,
Gregory Szorc
Firefox Sync Engineer
g...@mozilla.com
[1]
https://wiki.mozilla.org/Identity/Features/Sign_into_the_browser
[2]
http://docs.services.mozilla.com/storage/apis-2.0.html
[3]
https://tools.ietf.org/html/rfc5869
[4]
http://docs.services.mozilla.com/sync/storageformat5.html
[5]
http://docs.services.mozilla.com/keyexchange/index.html
[6]
http://docs.services.mozilla.com/token/index.html
[7]
https://wiki.mozilla.org/BrowserID_Key_Wrapping
[8]
https://docs.services.mozilla.com/
[9]
https://wiki.mozilla.org/Identity/CryptoIdeas/01-PBKDF-scrypt