- 1 Passwords
- 2 Security and cryptography
- 2.1 You use SHA256 hashcodes to find the message-keys in the clearing database. Isn't there a high risk in collisions that may leak security?
- 2.2 You use 2048 bit RSA keys for identity-file and securing clearing-communication. Isn't that to less?
- 2.3 Why don't you use PKI techniques and standards like S/MIME or PGP?
- 3 Connection protocol
How about individual initial password?
Sometimes we get asked why we do not allow users to chose their initial password by themselves. This is a complex question and we like to explain our current decision:
- We have multiple premises that sometimes differ from other use-cases:
- We are providing a security related service. It is not a forum or something where someone might steal some money (which is in most cases insured). People trust that messages sent by regify are very secure and especially for authenticated users we need to make sure that this is always the case.
- Knowing the account credentials of some regify account gives an attacker the ability to open all RGF files that have been sent to the victim (if the attacker gets access to them). It also allows him to send in the name of the victim.
- Even if an account was abused because of a weak password, the press will write that some regify account has been "hacked" (which is wrong, but many journalists do not understand). From the perspective of the public regify now is insecure.
- Therefore, this are the detailed reasons we do not allow people to chose their initial password:
- If we allow more or less everything, we will get passwords like "password", "12345678" or "letmein". We all agree that this is not good.
- If we establish rules like "minimum 8 characters, upper and lower-case and at least one number" we still will get passwords like "Donald123" or "Passw0rd". You can see that such rules will never prevent users from choosing weak passwords.
- If the rules are very strict, users will not be able to use their "common" password any more. This forces people to simply add numbers or double the password. For example, instead of "Clara1" they will chose "Clara1Clara1". In such case, most people do not remember the password later anyway.
- If the rules are very strict, users are bugged about the system because it denies most of their ideas. This lowers consumer satisfaction and we decided to not do this in the registration process.
If choosing your own password is allowed in the provider portal depends on the regify provider configuration settings. Most providers allow you to choose your password later. Just log in and enter your own ("My account" -> "New password"). Of course, this password is also measured for security. But not by a simple algorithm like described above.
If you are using the regify provider SDK to create users, you can also submit the password. There is also a SDK function available to directly set and change the password for existing users. In both cases, the regify provider SDK must be called from a user with SUPER USER permissions.
Isn't eight characters way too little?
If we would secure the regify messages using this password, the answer would be yes. Like for ZIP archives and any other file encryption. But the regify password is not used for any file encryption. It is used for login at the regify provider system only (online). So brute force attacks are much slower. Also, the regify provider reduces the number of login attempts to a given regify account to one per minute after it failed for more than 10 times (this also applies to a distributed brute force attack).
We also consider our randomly generated 8 character passwords more secure than any 12 digits user generated password. But anyway, every regify provider is able to increase the number of characters for the initial password by himself.
How are the passwords stored in the regify provider appliance database?
Due to technical reasons (like the provider lookup service PLS and cross-provider password reset), we save the SHA1 hashcodes of the passwords. But they are additionally encrypted using AES256 encryption with individual random IV and the SHA256 hashcode of the regify provider clearing password as key. This clearing password is never stored in the database and exists only in a local file outside of the web root. By this, SQL-injection attacks and database leaks are not able to leak passwords directly.
Security and cryptography
This paragraph is intended to answer the questions of security experts that like to have a deeper look at the regify-service. If you are an expert having additional questions, please feel free to send us an e-mail at support (at) regify.com (subject "security questions").
You use SHA256 hashcodes to find the message-keys in the clearing database. Isn't there a high risk in collisions that may leak security?
If we have a "perfect" hash function with output size n, and we have p messages to hash (individual message length is not important), then the probability of a collision is about p2/2n+1 (this is an approximation which is valid for "small" p, i.e. substantially smaller than 2n/2). For instance, with SHA-256 (n=256) and one billion regify messages (p=109) then the probability is about 4.3*10-60 (0.0000000000000000000000000000000000000000000000000000000000043%). Additionally, the regify message is not only compared against the message-hashcode. The recipients hashcode needs to match perfectly to this regify transaction, too. Upon this, the risk of a collision is very very low...
You use 2048 bit RSA keys for identity-file and securing clearing-communication. Isn't that to less?
In general, you need to keep in mind, that the regify system does not encrypt the messages itself using these RSA keys. The messages are getting encrypted using AES256 and the random message-key is stored directly in the clearing-service (new key for every message). Don't compare this to hybrid encryption in other products. The identity-file is not used for hybrid encryption like in PGP and S/MIME. So the assumptions you did may not apply at all. The integrity and security of the messages is not affected by the identity-file. Instead, the identity-file is used to ensure identity of the sender and recipient against his regify provider during login only (for sending and receiving). It even can get exchanged whenever you want without affecting readability or security of the regify messages itself.
The RSA encryption is used for two purposes:
- Securing the communication between regify client and clearing. In this case, the encryption needs to "hold" only for the duration of of the communication process. Additionally it needs to "hold" for the time a attacker is willing to spend to break it. Please remark, that the channel where such message is gathered does not also contain the encrypted message. Thus, a hacker needs both: cracking the RSA key and find a way to get the message (which is moving from sender to recipient directly).
In 2018, the regify client software started to use Elliptic Curve encryption (ECC) using Curve25519 algorithm for clearing communication. This does not only increase the robustness of this part of the encryption, it also uses less CPU power and speeds up communication.
- Used as Private/Public key pair in the regify identity-file. This one is used to ensure the authentication of the user against his regify provider. Additionally, the communication between the regify client and the regify provider is additionally secured by this keys. As the messages itself are not associated in any way with this identity-file, the identity-file can get renewed as often as the customer likes to. Upon this, the same answer as on 1. Furthermore, please also note that even if the identity file content is known by an attacker, the login protocol is not broken and no data is leaked. The message key is still additional encrypted using the clearing keys. Finally, the used algorithms and bitlength can get changed at any time in the future - without having any effect on the message accessibility.
Upon these facts, and contrary to PKI solutions, using 2048 bit for RSA encryption is an ideal compromise between security and speed.
Anyhow, each provider is able to raise the bitlength for identity-files up to 3072 or even 4096 bits for his individual preference.
Why don't you use PKI techniques and standards like S/MIME or PGP?
regify does not work as PGP or other PKI methods. The benefits of the regify-system would not have been possible, if we would use these standards. The benefits, that are resulting directly on the abstinence of standard PKI techniques, are listed on our homepage in the regimail FAQ section.
Update May 2018:
It turns out that PGP and S/MIME emails are insecure by design. It is highly recommended to observe the future development of these standards and carefully make decisions about this.
Update July 2019:
The PGP Problem
You want to know more details about our regify connection protocol? No problem, just send us an email to support(at)regify.com and tell us why you're interested. We will send you the documents then.