Zero server knowledge encryption for media server

I’m making a little media server, just for fun, but I want to know if what I’m thinking makes sense.

The idea is that the files will be stored on the server, encrypted. The file encryption key (henceforth FEK) will also be stored on the server, but it too will be encrypted using a 2nd key, derived from the user’s password (henceforth PDK).

It will work like this:

  1. There will be a 2-stage login. First, the user enters their username.
  2. If the user exists, the server will send back two fixed, per-user salts and a # of iterations.
  3. The client will use the first salt to hash their password with 1 iteration of sha256. They will send this to the server.
  4. The server takes this hashed password and rehashes with a 3rd salt and many iterations (PBKDF2) and uses this to authenticate the user.
  5. Meanwhile, the client uses the 2nd salt and # of iterations that the server previously sent, also with PBKDF2, to create the PDK.
  6. If the user is successfully authenticated, the server sends back the encrypted key (FEK).
  7. The client uses the PDK to decrypt the FEK.
  8. The decrypted FEK is used to encrypt and decrypt all files client-side.

Rationale: The password will be sent over HTTPS, but supposing my server is completely compromised (attacker has SSH access), then they could just wait for someone to login and get the plain-text password. One iteration of sha256 doesn’t provide a lot of protection, but this is a sort of worst-case scenario, and I don’t want to double the amount of time we’re waiting for PBKDF2 (once on client, again on server).

It still has to be rehashed on the server in case the attacker manages to download the database, but maybe doesn’t have full/persistent access. This would prevent them from cracking passwords too quickly.

I sent the 2nd salt and # of iterations to the client before they authenticate so that we can do (4) and (5) in parallel. Salt and # iterations don’t really need to be secret, do they?

Since the server never sees the plain-text password, it can never decrypt the FEK, which is the most important.

We use different salts to basically get 2 different keys out of 1 password. One is the hashed password for authentication, and the other is the PDK.

I also want to do file-deduplication using hashes. I realize this also exposes some information, so I plan on using the FEK for the file hashes too. Then I can only do per-user file deduplication, but that’s good enough.

If the user changes their password, I simply re-encrypt the FEK and send it back to the server for safe-keeping. No need to re-encrypt the files.

Does this all make sense? Any problems in my plan?

Oh, also I’m thinking aes-256-cbc with per-file IVs for the encryption, HMAC-SHA256 for the file hashes, PBKDF2 w/ sha256 and half a second worth of iterations for both the password hash and the PDK.

Expert writing service at affordable rates | 10 years of experience | In-depth tech knowledge

Hey folks,

I'm looking for some new clients for my writing services. I've been freelancing for around 8 years now, and have experience in multiple areas, from healthcare and sport, to tech, pets, celebrity gossip, and pretty much anything else you can think of. Even if your field is something new to me, I'm not afraid of research :)

I have specific experience writing:

  • Blog posts
  • Reviews
  • General articles
  • News articles (incl. for Google News sites)
  • In-depth how-tos…

Expert writing service at affordable rates | 10 years of experience | In-depth tech knowledge

Constant vs linear time given knowledge of input distribution

Question about computer science whether a problem is O(1) or O(N). This was a thought experiment I came up with and I’m sure it’s rather basic. But I wasn’t sure how to look it up so I apologize if this is already posted on here somewhere. But I was wondering … let’s say we have a simple question: given a string of random integers, is there any number that’s greater than a certain threshold value in the series, if that would be a linear or constant time Big O? Now the small twist is that the distribution of the input would be known for example let’s say we want to look at a series of N numbers to see if one is at least N/2. If yes, boom we are done. And let’s say the numbers are positive integers bounded to N so all n < N. Given we know this distribution does it change if it is O(1) or O(N)? If we have a very long string of numbers then of course it is possible that no number meets the threshold but this becomes a much smaller and smaller and smaller possibility for a long series of such random numbers. Does it make a difference if the N/2 threshold is some constant integer value less than N?

How to get apprpriate knowledge as a beginner penetration tester at home?

I want to apply for a job as a penetration tester in a good company. I have a fairly good knowledge of programming and have experience as a back-end developer.

I started to work with burpsuite,ZAP,Metasploitable2, Juiceshop and started to do some stuff locally. I want to gain more experience and do some challenging stuff but don’t know what to do. I also was suggested to learn Rust & Go and develop security applications. I don’t know how to start off and get my hands dirty on developing security applications to gain enough experience to apply for that job(I’m planning to complete it within a month)

Any Advice?

Isn’t ZKP is a reduction to a hard problem, rather than true zero knowledge?

Take for example “Hamiltonian cycle for a large graph”. The proof works by starting with a graph G that contains a hamiltonian cycle, then constructing an isomorphic graph H, and then either showing the mapping between the graphs G and H or releaving the cycle in H.

It is said that we prove that that we know a hamiltonian cycle in G without revealing it.

But this assumes the verifier does not have unlimited computational power. If he had it, he could ask to reveal the cycle in H, and use his unlimited computational power to work out the isomorphism. I understand that if the verifier had unlimited power, he could find the cycle in G directly. But that’s not my point. What I find strange is that we are relying on “hard problems” in the proof itself.

Are there ZKP protocols that do not rely on hard problems? Hard problems are only hard according to the state of the art. It is not proven that NP is not P, therefore, in my mind, this sounds like security through obscurity in some sense.

What skills in 5e give trap knowledge (i.e. the equivalent of Dungeoneering in 4e)?

4e had a skill called Dungeoneering which was used for recognizing hazards and knowledge of some monsters. This skill doesn’t exist in 5e. Clearly Perception and Investigation can be used to find traps, and thieves’ tools can be used to disarm them, but what skill gives knowledge of likely traps and what sorts of threats they pose?