Home Explore Help
Sign In
mirrors
/
borg
mirror of https://github.com/borgbackup/borg
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Merge pull request #5262 from fantasya-pbem/1.1-maint

docs: add security faq explaining AES-CTR crypto issues, fixes #5254
TW 5 years ago
parent
bd1eaa839e 63c43d55b5
commit
f8c8d58e58
2 changed files with 37 additions and 1 deletions
Unified View Show Diff Stats
  1. 35 1
      docs/faq.rst
  2. 2 0
      docs/internals/security.rst

+ 35 - 1
docs/faq.rst
View File 

@@ -27,7 +27,13 @@ which is slower.
 
 Can I backup from multiple servers into a single repository?
 
 Can I backup from multiple servers into a single repository?
 
 ------------------------------------------------------------
 
 ------------------------------------------------------------
 
 
 
-Yes, but in order for the deduplication used by |project_name| to work, it
 
+Yes, this is *possible* from the technical standpoint, but it is
 
+*not recommended* from the security perspective. |project_name| is
 
+built upon a defined :ref:`attack_model` that cannot provide its
 
+guarantees for multiple clients using the same repository. See
 
+:ref:`borg_security_critique` for a detailed explanation.
 
+
 
+Also, in order for the deduplication used by |project_name| to work, it
 
 needs to keep a local cache containing checksums of all file
 
 needs to keep a local cache containing checksums of all file
 
 chunks already stored in the repository. This cache is stored in
 
 chunks already stored in the repository. This cache is stored in
 
 ``~/.cache/borg/``.  If |project_name| detects that a repository has been
 
 ``~/.cache/borg/``.  If |project_name| detects that a repository has been
 
@@ -353,6 +359,34 @@ to change them.
 
 Security
 
 Security
 
 ########
 
 ########
 
 
 
+.. _borg_security_critique:
 
+
 
+Isn't BorgBackup's AES-CTR crypto broken?
 
+-----------------------------------------
 
+
 
+If a nonce (counter) value is reused, AES-CTR mode crypto is broken.
 
+
 
+To exploit the AES counter management issue, an attacker would need to have
 
+access to the borg repository.
 
+
 
+By tampering with the repo, the attacker could bring the repo into a state so
 
+that it reports a lower "highest used counter value" than the one that actually
 
+was used. The client would usually notice that, because it rather trusts the
 
+clientside stored "highest used counter value" than trusting the server.
 
+
 
+But there are situations, where this is simply not possible:
 
+
 
+- If clients A and B used the repo, the client A can only know its own highest
 
+  CTR value, but not the one produced by B. That is only known to (B and) the
 
+  server (the repo) and thus the client A needs to trust the server about the
 
+  value produced by B in that situation. You can't do much about this except
 
+  not having multiple clients per repo.
 
+
 
+- Even if there is only one client, if client-side information is completely
 
+  lost (e.g. due to disk defect), the client also needs to trust the value from
 
+  server side. You can avoid this by not continuing to write to the repository
 
+  after you have lost clientside borg information.
 
+
 
 .. _home_config_borg:
 
 .. _home_config_borg:
 
 
 
 How important is the $HOME/.config/borg directory?
 
 How important is the $HOME/.config/borg directory?

+ 2 - 0
docs/internals/security.rst
View File 

@@ -13,6 +13,8 @@ Security
 
 Cryptography in Borg
 
 Cryptography in Borg
 
 ====================
 
 ====================
 
 
 
+.. _attack_model:
 
+
 
 Attack model
 
 Attack model
 
 ------------
 
 ------------