Results 1 to 4 of 4

Thread: Viivo security advantage?

  1. #1

    Viivo security advantage?

    I have used/tested another program (which I won't name since I'm not trying to "plug it") which functions similarly to Viivo in that it takes your unencrypted files and syncs them to a cloud storage folder. Like Viivo, it also compresses the files during encryption. As I understand it, the progam uses the "LZMA 7zAES" method with AES-256 using a "derivation function based on SHA-256 hash algorithm". The potential advantage of this program is that, outside my main PC, I don't access these files very often and, if I do, I only need the password and a program that will decrypt compressed files (which I already use). The obvious disadvantage is that, if I did work with multiple files, I would have to decrypt each of them individually.

    In any event, my question is (purely from a security prospective) what is the advantage of Viivo? In other words, assuming that someone gained access to my cloud storage, why would Viivo encrypted files be more secure than ones encrypted as described above?


  2. #2
    Viivo Development
    Join Date
    Jan 2013
    Great question. Since you explicitly asked for an answer "purely from a security perspective" we'll only discuss the security implications, not the ease of use. But - I'd like to point out (just one quick sentence) that Viivo's purpose is to give you excellent security without compromising ease of use, especially for sharing between different communities of users. (Basic encryption is not that hard to do - sharing is much harder, and doing so without introducing complexity to the user experience is extremely hard.)

    Short answer: Assuming your password is unguessable, 7z and Viivo files are just about equally secure.

    But - almost everybody uses a password that is plausibly guessable/crackable. The numerous 7z password crackers out there make this easier than you think. And for many there is the chance that the password can be stolen, if for no other reason than a colleague might watch you type it.

    The password-cracking tactics used against 7z files will not work against Viivo.

    And Viivo even has a solution to the problem that an attacker actually knows your password - multi-factor authentication.

    Here's the long answer. (I hope this helps.)

    Analyzing cryptographic vulnerability is a long process and must take into account everything about the entire workflow in order to be the truth, the whole truth, and nothing but the truth. As an example, if we say that two encryption tools use exactly the same "approved" algorithms (PBKDF2 HMAC SHA256, AES 256 CBC etc.) and they both correctly set all the parameters using cryptographically strong pseudo random numbers, we may think it's correct to declare that they're equally strong tools. However, suppose the output of one is a self-extracting zip file. This means that the tool used to extract the content could very well have been replaced by an attacker - it may not be the decryption tool at all, but rather a program that prompts you for your password and then transmits your password to an attacker who has the real file in his possession. Though some of the parts are great, the other parts may make the tool vulnerable.

    Both Viivo and 7z files have very strong, 256-bit AES encryption. They both have very strong and time-consuming methods for converting your password into a master key (a process called key derivation). Although they use different key derivation algorithms, no vulnerabilities have been publicly identified for either. However, the one Viivo uses (PBKDF2 HMAC SHA256) is a well analyzed and commonly approved national standard algorithm. The 7z key derivation is a proprietary algorithm - you're putting trust in the skill of the developer to have done the password based cryptographic key derivation correctly and without vulnerabilities. However much or little weight you want to give to that difference, it is still a difference. But let's suppose this is an unimportant difference, even though this directly influences how fast a password can be cracked.

    What vulnerability is there regarding this password? We've supposed it's not in the key derivation. But what about how the password-derived key is used?

    In both Viivo and 7z, each individual file is encrypted with a randomly chosen 256-bit "session" key. Then the session key is protected/encrypted with an archive key. It's the nature of the archive key that we need to talk about.

    For 7z, the archive key is exactly that key derived directly from your password. Guessing or cracking your password is equivalent and functionally identical to guessing or cracking the archive key. Assuming you use one password for everything (for convenience) then you're using the exact same archive key for all your files. Crack one, you've cracked them all.

    Not so with Viivo - every Viivo file's session key is encrypted with an archive key that has no connection to your password. It is randomly chosen and also has 256 bits of entropy, so that it is unguessable in any practical sense. (Yes, it is mathematically possible to guess a random 256-bit AES archive key on the first try, but it's statistically implausible to do so - even a lifetime of attempts at a trillion trillion per second will not even get you a .00000000001% chance of guessing the archive key. Add about 30 more zeros and you're starting to get close.) Further, with Viivo, sharing of files is possible, and Viivo does so by generating many archive keys and managing who gets a copy of them - no sharing of passwords is involved. But - let's suppose for the moment you're only interested in encrypting for yourself.

    So here's the attack: Assuming the attacker has some of your 7z encrypted documents, if he can acquire/guess your password, he can read them all. He doesn't have to log in to any server. If you change your password going forward, this has no effect on the documents he already stole, and so he can still decrypt them.

    Viivo is different. Every Viivo user has his or her own RSA key pair. This is a public/private key pair that is used by Viivo to digitally sign and verify metadata (information about your keys and account) and to encrypt and decrypt key material, such as the above-mentioned archive keys. A decrypted copy of the private key is required to do anything with Viivo, or to say anything acceptable to the Viivo servers. No such decrypted copy of your Viivo private key ever exists outside your own computer or mobile device. The attacker can still try guessing your password, but he has no way to verify his guesses except to talk to the Viivo servers and ask that the password be verified. Unlike 7z files, Viivo files don't contain enough information in them to verify that a guessed password is correct. You have to get that private key first from the server, and in order to do that, you have to prove to the Viivo server that you already know the password that is going to work with that private key. We do this without actually knowing your password - it's done with a sophisticated hashing algorithm. In fact, we don't even know which encrypted private key, stored on our server, is yours. They're all stored with multiple random and hashed values that we can't connect back to your identity, even if the government tried to force us to do so. All we could do is turn over the entire database of encrypted private keys, which basically looks like an enormous pile of random numbers.

    Any attacker trying to guess your password will be calling our servers over and over and is going to get throttled (we'll stop answering) pretty quickly, and raise alarm bells in our administrative console. The same attack against 7z files can be quietly and invisibly performed offline at full speed. Nobody will know it's happening. If your password is guessable in, say, three months of guesses with 7z files (at a trillion per second), that same password will not be guessed for centuries with Viivo, and long before that we'll notice and shut them down.

    Even if an attacker were to get a complete copy of all those encrypted private keys from us, he'd still have to try each of his guesses against every one of the encrypted private keys until he found it. This makes the process take 100,000 times longer to perform the same attack. Combined with the implausibility of stealing our entire database, that's way more secure than 7z.

    As well, assuming the attacker *knows* your password, he still needs to get your private key from our server. If you enable multi-factor authentication, then the Viivo server will ask your permission (via your mobile device) every time anybody asks for the private key and they actually know your current password. You have the option, in real time, to click "Deny". This refuses to answer the attacker at all. Then you change your password (because somebody knows it - we just showed you that) and then they can no longer even try the attack because now they know your *old* password, not your current password, and the Viivo server will ignore them. This ability to change your password even after the files have been stolen is unique to Viivo and impossible with 7z.

    We do acknowledge that there is a cost to doing the multi-factor authentication - you have to be online just to log in to Viivo. However, once you're logged in, you can disconnect from the network and use desktop Viivo for document encryption and decryption while offline. Viivo on mobile is usually using your cloud provider's storage API directly so needs to be online anyway.

    We've designed the architecture in such a way as to not require the server to be there in order for things to still work. The technology is meant to survive the company. That said, if the server does go away, you won't be able to create new Assets which are used to facilitate easy sharing of encrypted content and you won't be able to authenticate new devices. You'll have to mass-decrypt (if you operate Viivo desktop in tunnel mode, this is always done automatically) and move on to something else.
    Last edited by tczotter; 04-02-2015 at 05:16 PM.

  3. #3
    Thank you for your excellent response!

  4. #4
    7-Zip also supports encryption with AES-256 algorithm. This algorithm uses cipher key with length of 256 bits. To create that key 7-Zip uses derivation function based on SHA-256 hash algorithm. A key derivation function produces a derived key from text password defined by user. For increasing the cost of exhaustive search for passwords 7-Zip uses big number of iterations to produce cipher key from text password.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts