Services/Sync/KeyRecovery: Difference between revisions

From MozillaWiki
< Services‎ | Sync
Jump to navigation Jump to search
(Created page with "{{draft}} = Goal = To securely allow a user to recover their sync key, using only the username and password for their Mozilla Services account. = Overview = Currently the syn...")
 
(Replaced content with "This has been renamed to Services/Sync/KeyRetrieval")
 
(14 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{draft}}
This has been renamed to [[Services/Sync/KeyRetrieval]]
 
= Goal =
 
To securely allow a user to recover their sync key, using only the username and password for their Mozilla Services account.
 
= Overview =
 
Currently the sync key is never stored on Mozilla servers in any form; it only exists locally on each device connected to the sync account, plus in any backups explicitly made by users.  This provides some additional security for their sync data above that provided by their account password.
 
However, if the user accidentally deletes or loses their sync key, they permanently lose access to the sync data stored on Mozilla servers.  Currently their only option is to discard all sync data and start again with a new key.
 
If the user *opts in* to the key recovery service then their sync key will be encrypted and stored on Mozilla servers, where it can be recovered using their account username and password.  They may also use this service to obtain the sync key when setting up a new device, rather than using the current J-PAKE scheme to transfer it from an existing device.
 
The client will use the user's account username and password to encrypt the sync key prior to transmission to the service.  Barring our deliberate snooping or cracking of the user's password, this means that the sync key cannot be read by Mozilla.
 
If the user forgets or resets their password then the stored sync key will be unreadable and must be re-stored from a connected device.  This is a feature - even if an attacker compromises their email and resets their password to gain control of their account, the attacker will not gain access their existing sync data.
 
Since this scheme reduces the security of all the user's sync data to the security of their account password, it will be a completely opt-in service and will be disabled by default.
 
The encrypted sync key represents a particularly high-value target for an attacker, because:
* it potentially allows access to *all* of the user's sync data, and
* it will be encrypted using a relatively low-entropy key (the user's account password)
 
We therefore entrust its storage to a separate service from the main sync-storage service, so that it can be run from a high-security server.
 
= Details =
 
== Naming ==
 
In initial discussions we've been calling this a "key escrow service", but to me (rfkelly) that conjures up too many big-brother clipper-chip-style associations.  Since the idea is that Mozilla won't be able to obtain your sync key even if you enable this service, I think "key recovery service" has more accurate connotations.  Thoughts?
 
== Server Protocol ==
 
== Client Protocol ==
 
== Authentication ==
 
=== Server-Provided Tokens ===
 
=== User-Provided Tokens ===

Latest revision as of 02:01, 27 September 2011

This has been renamed to Services/Sync/KeyRetrieval

Retrieved from "https://wiki.mozilla.org/index.php?title=Services/Sync/KeyRecovery&oldid=351609"