Chef Encrypted Databags don’t authenticate data, FYI. Authentication pretty fundamental property of a secure cryptosystem /cc @opscode
@jtimberman @opscode the solution is to use a MAC (e.g. HMAC) with a separate key, or an authenticated encryption mode such as EAX or GCM
-
-
@bascule The mixlib-authentication does that for the requests to the API. -
@jtimberman that won't help if someone tampers with the data through a sidechannel, e.g. Couch. It should really be authenticated end-to-end -
@bascule@jtimberman I've always wondered why the encryption for data-bags wasn't more closely integrated with Client key pairs. -
@fujin_@jtimberman IMO every encrypted databag should have a unique (EC)DSA key for authenticating values. I'm trying that at@livingsocial
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.