We strongly recommend that users use strong passwords. Even the best security is foiled by a user choosing a weak or commonly-used password, such as 123456
or letmein
.
Noraina's Efficient Cloud Backup always encrypts all user data before storing it, using strong AES-256-CTR with Poly1305 in AEAD mode with high-entropy random keys.
Encryption keys are automatically generated and managed by the client. The data encryption keys are then encrypted against the customer's password, and stored on the Comet Server. This means that (A) Noraina Ltd is unable to decrypt data without the customer's password; and (B) in the event of a customer PC loss, only the customer's password is necessary to log in to the account and restore data.
The user's password is used to derive two 192-bit keys (the "L" and "R" keys) via PBKDF2-SHA512
, with hard-coded parameters for repeatable output.
- The L-key is used to log in to the Authentication Role server in place of the real password; the server stores only a
bcrypt(sha512)
hash of this L-key. - The R-key never leaves the client, and is used to encrypt secret keys stored within the user's profile on the server.
This means that one password can be used for all client-side account operations, while preventing servers from uncovering client-only secrets.
When Efficient Cloud Backup sets up a Storage Vault for the first time, it generates two high-entropy random keys (the 256-bit "A" and 128-bit "E" keys). All user data in the Storage Vault is stored encrypted with the A-key using AES-256 in CTR mode, and authenticated using Poly1305 in AEAD (encrypt-then-MAC) mode.
The permanent A-key is stored inside the Storage Vault, encrypted with the E-key. The E-key is then encrypted with the R-key and stored in the user's profile on the Authentication Role server. When a backup is performed, the client uses its password to derive the private R-key, to decrypt the E-key from the vault, to decrypt the A-key for data storage. This extra level of indirection enables some key rotation scenarios, as a new E-key can be generated without needing to re-encrypt all the data in the Storage Vault.
If the Storage Vault is for a Storage Role bucket, a high-entropy random 128-bit PSK is used to gate access to the bucket. The Storage Role server stores only a bcrypt(sha512)
hash of this PSK. The client encrypts this PSK with the R-key and stores it in the user's profile on the Authentication Role server.