This is not for public review, this is for Joplin development team
by reviewing your source-code on Github https://github.com/laurent22/joplin/blob/dev/packages/lib/services/e2ee/EncryptionService.ts, i found the below code snippet
const handlers: Record<EncryptionMethod, ()=> string> = {
// 2020-01-23: Deprecated and no longer secure due to the use og OCB2 mode - do not use.
[EncryptionMethod.SJCL]: () => {
try {
// Good demo to understand each parameter: https://bitwiseshiftleft.github.io/sjcl/demo/
return sjcl.json.encrypt(key, plainText, {
v: 1, // version
iter: 1000, // Defaults to 1000 in sjcl but since we're running this on mobile devices, use a lower value. Maybe review this after some time. https://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pkbdf2-sha256
ks: 128, // Key size - "128 bits should be secure enough"
ts: 64, // ???
mode: 'ocb2', // The cipher mode is a standard for how to use AES and other algorithms to encrypt and authenticate your message. OCB2 mode is slightly faster and has more features, but CCM mode has wider support because it is not patented.
// "adata":"", // Associated Data - not needed?
cipher: 'aes',
});
} catch (error) {
throw this.wrapSjclError(error);
}
},
It shows that on 2023-01-23, some developer comments not to use OCB2 cipher-mode https://en.wikipedia.org/wiki/OCB_mode as it is not secure. This is correct, as it is well-known that this mode has been attacked. However, it still there in code.
Now, i see some code blocks that use ocb2 mode with aes 128 as above block, and other blocks that use ccm mode with aes 256.
I know that Joplin team has reverted back to aes 128 for performance reasons, which is ok, but did you revert back to the old insecure cipher-mode ocb2?
My Questions: Which cipher mode is currently used in the official executable available on Joplin download page https://joplinapp.org/download/? (ocb2 or ccm) What key size is currently used? (256 or 128)
We don't use deprecated encryption methods to encrypt new notes, however we leave the method in the code in case a user has old notes encrypted with that method.
It's probably not necessary but to be sure you can go to the Encryption config screen then, under Advanced options, click "Reencrypt data". Please note that it means all your notes will be uploaded again to your sync target
Is there a way to check to see if you have any notes encrypted the "old way"? I'd rather not reencrypt everything if there is another way to go about ensuring the latest encryption is applied to all my notes.
I agree - and maybe we should wait with re-encrypting until AES-256 is re-introduced and meant to stay. As far as I understand re-encryption at the current state means changing from AES-128 OCB2 to AES-128 CCM. I have no idea what the real gain in security would be, and I hope that there's people here who can help to clarify this issue.
I don't think there is. But honestly among the hundreds of notes I have there are some 10-20 for which encryption "might" matter. To each one of those I added one char (usually a blank at the end of the note), which guaranties that it is re-encrypted. About all the other notes ? let the malfaiteurs read them and enjoy them !!
My case of course, yours may be different.
I have no idea what the real gain in security would be, and I hope that there's people here who can help to clarify this issue.
@rqk
Actually, encryption strength depends on some factors including but not limited to:
Algorithm (in this case it is AES)
Key Size (128 vs 256)
Encryption mode (OCB2 vs CCM)
There is nothing to say about algorithm since it is AES in either case.
For key sizes, i think that 128 is too strong. Yes 256 is stronger, but 128 is strong enough and is used everywhere due to its speed. Even my current HTTPS connection to this forum uses AES128.
For encryption mode, this is tricky. Since most of users do not know about it. Encryption mode can make strongest algorithm melt-down like butter.
OCB1, and OCB3 are safer than OCB2. CCM is safer, but slower. This is why people use OCB.
There are papers shows OCB2 weaknesses. One is written by Niels Ferguson a chief security in Microsoft.
It would use the new settings in this case. When an encryption method is deprecated it is used only to read old encrypted data, it will never be used for encryption again.
Modifying individual notes does trigger re-encryption - IRC this has been discussed in other threads as a possible workaround. I wonder if changing the name of a notebook would have the same effect, i.e. re-enrypt all included notes (as all of them will have modified metadata if their folder's name is changed). If it works, it would be a more feasible workaround.
