Security Big Bug?


guaitaku

Recommended Posts

First of all, I have to say that I'm very happy with this solution, as IT Admin, it's a product that fits really fine with my needs.

 

Well, let's start with the problem:

 

I'm very concerned about security of my documents, and I've been reading all posts about btsync security (encryption strength, relay server, tracker ...) and I've been creating my own security keys, making them a bit longer.

 

As fas as I can create a long key (using /dev/random) the security problem is solved, and I know that the secret that btsync generates is very secure and I don't have sensitive data that justify the effort to hack it, but now I'm worried about what this morning happened.

 

There are two computers, with multiple folders, let's say Computer A and Computer B. The Computer A have my personal folder F1, that have a >1000bit key, that the computer B shoud not see. In computer B, just this morning, I created a new empty forlder F2, and a new >1000bit key, and when I paste the key and the folder.... the contents of F1 appeared on F2 (Computer B).

 

Computer A is a Mac, and B a Windows, both on the same lan and the last btsync version. The first thing I've done is to Copy Secret of F1 on computer A and paste on a notepad, and do the same with the secret of F2 on computer B and they are VERY DIFFERENT....

 

 

Finally, ignoring compurer A, I deleted the folder F2 (with the contents of F1) on computer B, I've created a New Folder, paste the same key as F2 before but change some characters (a number on begining, some chars at the end...) completely aleatory, and when I  hit create...... the contents of F1 appeared... I was hallucinating....

 

If I create the new folder with a generaded key, and the problem doesn't happen, but as the key lenght shoud not be a problem, I'm worried about how the btsync uses that key, and why, even the full key is different, can this happen.

 

The key I've used in F2 is like this:

4ycjeNDrc7d16RK7GQOp1j55c3PhxSm9KHg0TqScGvEsOFarLXuf6BsJ1uoTU7SlzcGwThL5LOTrfCTUM0gdHUcq3zqCVfJUJekSzyUh0JEht0KDvLJ3MIBPHdqc6UMu9zFWJ42PL3C0NUCe60QyvIxPYgQFw7gJ9vBSuE

 

 

And of course the folder F1 have a key with the same length but I've been comparing them and I don't see anything similar.

 

PD: Don't thing is a human mistake pasting the F1 and F2 keys, because I've done the same operations typing aleatory keys on btsync when I pasted F2 key and appeared F1 contents.

 

 

Thanks,

 

 

 

 

Link to comment
Share on other sites

I've made a simple test.

 

In two raspberrypi I've created new folders, with those Secrets:

 

Folder 1:

4ycjeNDrc7d16RK7GQOp1j55c3PhxSm9KHg0TqScGvEsOFarLXuf6BsJ1uoTU7SlzcGwThL5LOTrfCTUM0gdHUcq3zqCVfJUJekSzyUh0JEht0KDvLJ3MIBPHdqc6UMu9zFWJ42PL3C0NUCe60QyvIxPYgQFw7gJ9vBSuE

 

and

 

Folder 2:

4ycjeNDrc7d16RK7GQOp1j55c3PhxSm9KHg0TqScGvEsOFarLXuf6BsJ1uoTU7SlzcGwThL5LOTrfCTUM0gdHUcq3zqCVfJUJekSzyUh0JEht0KDvLJ3MIBPHdqc6UMu9zFWJ42PL3C0NUCe60QyvIxPYgQFw7gJ9vBSuF

 

 

The only difference is the last char (one with an E and the other with an F). Why those contents are synchronizing? Folder1 with Folder2?

 

Is the btsync ignoring some chars from the secret?

 

 

 

 

 

 

 

 

Link to comment
Share on other sites

BTSync secret is base64-encoded set of bytes, so if you will try to encode your self-generated secret you will see the "real" secret being used by BTSync as private key.

 

So, if you want to generate your own secret its much better to base64-encode it before pasting to btsync.

 

As for your key - its len(166) is not a multiple of 4 and two last characters are ignored.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.