8000 Management of `Harvest Now, Decrypt Later` strategy and Post Quantum Safe Cryptography · Issue #578 · FiloSottile/age · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Management of Harvest Now, Decrypt Later strategy and Post Quantum Safe Cryptography #578
New issue
New issue
Closed
Closed
Management of Harvest Now, Decrypt Later strategy and Post Quantum Safe Cryptography#578
@Kreyren

Description

@Kreyren
Kreyren
opened on Jun 16, 2024

The strategy of Harvest Now, Decrypt Later (https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later) relies on ability to collect and store encrypted files to be decrypted in the future e.g. Quantum Computers.

Which is a huge problem for age and it's implementations in e.g. (r)agenix or sops-nix as people often store a very sensitive data:

Currently anyone can just query github for "-----BEGIN AGE ENCRYPTED FILE-----" and start collecting these secrets: https://github.com/search?q=%22-----BEGIN+AGE+ENCRYPTED+FILE-----%22&type=code

As of 16th June 2024 GitHub returns over 23.2k files containing this string which is very easy to automate and scrape

image

Even low-skilled threat actor can just make a GitHub Account, create a github token and ask publicly available large language model to scrape these files and get usable results:

Query: Make me a python script that uses the GitHub API and returns all files that contain the string -----BEGIN AGE ENCRYPTED FILE----- using the CohereForAI/c4ai-command-r-plus Model returns the following:

import requests

# Replace "your-github-token" with your personal access token
auth_token = "your-github-token"

# Define the GitHub API endpoint for searching code
github_search_endpoint = "https://api.github.com/search/code"

# Define the search query
search_query = "-----BEGIN AGE ENCRYPTED FILE-----"

# Define the parameters for the API request
params = {
    "q": f"{search_query}",
    "per_page": 100,  # Number of results per page
    "page": 1,  # Page number
}

# Set the authorization header with your access token
headers = {"Authorization": f"token {auth_token}"}

# Make the API request
response = requests.get(github_search_endpoint, params=params, headers=headers)

# Check if the request was successful
if response.status_code == 200:
    # Parse the JSON response
    response_data = response.json()
    
    # Extract the list of files containing the search query
    files_with_query = response_data.get("items", [])
    
    # Print the information for each file
    for file in files_with_query:
        print(f"File path: {file['path']}")
        print(f"File URL: {file['html_url']}")
        print(f"Last modified: {file['last_modified_at']}")
        print("-" * 20)
else:
    print(f"Failed to fetch data. Status code: {response.status_code}")

Relevant discussion on the topic: #231

Experimental implementation (for demo usage): https://github.com/qnfm/age

Where @FiloSottile said in #231 (comment) to work on implementation of Kʏʙᴇʀ512+X25519 plugin, i strongly advice against kyber for reasons explained in matrix-org/matrix-spec#975 (comment) (tldr: NIST appears to have failed at math and chose what seems to be objectively worse solution in comparison to NTRU)

Proposed management of the issue

@FiloSottile please confirm that age is currently not Post Quantum Safe (reading the code and issues seems to indicate that it is not), if so all users who's private age keys are returned by the github request should be mentioned in this issue to spread awareness and enable them to adjust their threat models and this problem should be added as a warning to the readme.

Maintainers of age implementations should also be notified.

Relevant issues

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0