Did Storj a Audit regarding native Tardigrade implementation in Duplicati?

jensamberg · September 6, 2020, 5:45pm

Did Storj a Audit of the source code regarding native Duplicati Integration to be sure the encryption password is save ?

TopperDEL · September 8, 2020, 7:50am

I am the developer of the native Tardigrade-Implementation and I can assure you, that the passwords are safe and not being extracted. All code is open source, so you may check for yourself.

E.g. here is the coding where the Tardigrade-Backend receives the access credentials (password and URL or AccessGrant) from Duplicati and provides it to the uplink.Net-Library (by creating an “Access”-object):

github.com

duplicati/duplicati/blob/174edf422ec828cf0802366470c9e39ad2293930/Duplicati/Library/Backend/Tardigrade/TardigradeBackend.cs#L88


{
}

// ReSharper disable once UnusedMember.Global
// This constructor is needed by the BackendLoader.
public Tardigrade(string url, Dictionary<string, string> options)
{
    InitStorjLibrary();

    var auth_method = options[TARDIGRADE_AUTH_METHOD];
    if (auth_method == "Access grant")
    {
        //Create an access from the access grant
        var shared_access = options[TARDIGRADE_SHARED_ACCESS];
        _access = new Access(shared_access, new Config() { UserAgent = TARDIGRADE_PARTNER_ID });
    }
    else
    {
        //Create an access for a satellite, API key and encryption passphrase
        _satellite = options[TARDIGRADE_SATELLITE];

Here you can see how the uplink.NET-library handles the “secret” (your passphrase) over to uplink-c:

github.com

TopperDEL/uplink.net/blob/7c06110aaae835a9c20c0ae003b2c9dc1919ee05/uplink.NET/uplink.NET.Shared/Models/Access.cs#L100


/// </summary>
/// <param name="satelliteAddress">The satellite address</param>
/// <param name="apiKey">The API-key</param>
/// <param name="secret">The passphrase</param>
public Access(string satelliteAddress, string apiKey, string secret)
{
    Init();

    try
    {
        _accessResult = SWIG.storj_uplink.request_access_with_passphrase(satelliteAddress, apiKey, secret);
        if (_accessResult.error != null && !string.IsNullOrEmpty(_accessResult.error.message))
            throw new ArgumentException(_accessResult.error.message);

        _access = _accessResult.access;

        _projectResult = SWIG.storj_uplink.config_open_project(_config, _access);
        if (_projectResult.error != null && !string.IsNullOrEmpty(_projectResult.error.message))
            throw new ArgumentException(_projectResult.error.message);

        _project = _projectResult.project;

Here you can see how uplink-c handles the secret:

github.com

storj/uplink-c/blob/a03a66b482a7455a5cb07d7da32413a32d3213de/access.go#L39


		}
	}

	return C.UplinkAccessResult{
		access: (*C.UplinkAccess)(mallocHandle(universe.Add(&Access{access}))),
	}
}

//export uplink_request_access_with_passphrase
// uplink_request_access_with_passphrase requests satellite for a new access grant using a passhprase.
func uplink_request_access_with_passphrase(satellite_address, api_key, passphrase *C.uplink_const_char) C.UplinkAccessResult { //nolint:golint
	if satellite_address == nil {
		return C.UplinkAccessResult{
			error: mallocError(ErrNull.New("satellite_address")),
		}
	}
	if api_key == nil {
		return C.UplinkAccessResult{
			error: mallocError(ErrNull.New("api_key")),
		}
	}

So maybe that gives you a little insight and helps you understand if it is save or not. But be careful: you may always get a “wrong version” deployed where someone added coding not visible in the github-repos. To be really save you might need to compile it all for yourself or we might need to add some certificates here.

jensamberg · September 8, 2020, 5:29pm

@TopperDEL thanks for info.

How can I be sure that my Docker container is secure ?

Do you think it is possible to implement a hardware dongle such a ledger nano to retrieve encryption keys?

jammerdan · September 9, 2020, 5:49am

I think this is a very good question that should be addressed in a general way, as Storj relies on developers to create applications.
So the question would be: How to trust developers to implement all required security functions in a way that they do not get exposed or transmitted to a 3rd party?

At the end maybe for sensitive data additional client side encryption needs to be performed prior to uploading.

Alexey · September 9, 2020, 7:49am

There is always myths around OSS and security:

So, usually we - the Community helping OSS products to be secure. The same is going for the applications built on Tardigrade platform.

TopperDEL · September 9, 2020, 7:59am

Not sure how I may help you here. I don’t know how to check if the docker container is secure. And adding a hardware-dongle to the table sounds great, but I do now know how to handle this here. Furthemore - wouldn’t that mean to “approve” a backup-request everytime with your dongle? That would make regular backups a pain, wouldn’t it?

@jammerdan: You may use the default way of encrypting data from duplicati itself before the files get handed over to the Tardigrade-backend. So whatever happens there, your data could not get exposed. but then you would have to trust Duplicati again.
Checking the security of duplicati was not on my scope during development of the Tardigrade-Backend. I would assume this has been checked multiple times as Duplicati is on the market since quite a long time already and is used by thousands of people.