![]() ![]() Slideshows Channel gathers for Nextgen New Zealand's Summer (Somewhere) Party From desktop to web and everything in between, Microsoft Office delivers the help you need to work anytime, anywhere.Your essential guide to New Zealand Vendors Your essential guide to New Zealand Distributors ISEC Partners was also contracted by the Open Crypto Audit Project to perform an audit of TrueCrypt source code earlier this year. "BitTorrent Sync applied generally accepted cryptographic practices in the design and implementation of Sync 1.4 as of July 2014," the iSEC letter reads. According to the letter, iSEC's review covered the program's implementation and usage of cryptographic primites like hashing, encryption and randomness generation the key exchange mechanism the invite and approval process folder discovery by remote peers and possible cryptographic attacks on Sync infrastructure. In order to support these claims, BitTorrent also published a letter from iSEC Partners, a security firm that was contracted earlier this year to audit BitTorrent Sync's cryptographic implementation. In addition, the public key and the folder hash appear after the # sign in the URL, which means that all modern browsers won't even send this to the server."Ĭompromising the public infrastructure that supports the peer discovery cannot impact the security of the Sync program, which is completely dependent on the client-side implementation, Lissounov said. "After a direct connection is established (the user can verify that by comparing the certificate fingerprint for both peers) Sync will pass the folder key over an encrypted channel for the other peer. ![]() "The link itself cannot be used for decrypting the communication as it only contains the public keys of the machines involved in the exchange," he said. However, those links only contain the public keys that are needed before the machines can actually exchange the secret keys, Lissounov said. The folder-sharing mechanism between BitTorrent Sync users relies on links to that include the folder hash and cryptographic keys, according to the Hackito report. The hashes cannot be used to obtain access to the folder it is just a way to discover the IP addresses of devices with the same folder." "They are used to discover other peers with the same folder. "Folder hashes are not the folder key (secret)," Konstantin Lissounov, the general manager for BitTorrent Sync, said. "This may be the result of NSL (National Security Letters, from US Government to businesses to pressure them in giving out the keys or introducing vulnerabilities to compromise previously secure systems) that could have been received by BitTorrent Inc and/or developers."īitTorrent posted a response on its community forum to clarify that the central server is just there to enable peers to discover each other and does not play a role in the actual synchronization process, which is encrypted peer-to-peer. This results from a change in the folder-sharing procedure that was introduced after the original Sync releases, which used a different, more secure mechanism, the Hackito researchers said. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |