Are invitations secure?

Are invitations secure?

Postby mamciek » 10 Nov 2011, 16:23

I do not understand how exactly invitation works - are they secure?

I understand that in order to get access to my spaces I need to import *.pss files from my another computer or previuos installation - these are my private key files. They exist only on my (client) computer - right? So how is it possible that when I remove completly Teamdrive and then reinstall it I receive invitations to my spaces without need to import my old *.pss files? There (pss keys) are somehow transferred from the server. Is this correct? Are keys and encyrpted data kept together on TeamDrive servers?
mamciek
 
Posts: 1
Joined: 10 Nov 2011, 16:13

Re: Are invitations secure?

Postby uluckas » 25 Nov 2011, 18:39

Hi,
I have seen this question popping up several times. But I have only seen hand waving answers like "sure it's safe, we are certified".
I consider that bad practice for a product that claims to be secure! I consider this a lot worse then admitting there is a weak point and advising users to steer around it if they want to be secure.
I understand I can secure my invitations with a password. Fine.
But now the question I have been waiting to get answered:

What happens n the background if I click "Invite all my devices". Then install a new client on different hardware, register it to my email and see the invitation pop up.
How can that be secure? If it is not secure, why is this not pointed out anywhere?

I will have to make a decision about useing teamdrive in our company before the end of the year. Watching how you handle these questions will have a major impact on my decision and probably on that of others.
Security is not only a tecnical question but also one of trust in your provider to do it right and to keep you informed....
uluckas
 
Posts: 2
Joined: 15 Oct 2011, 20:10

Re: Are invitations secure?

Postby EPruehs » 14 Dec 2011, 11:45

Here the answers to your questions:

@mamciek: The pss files are only on your computer. They are crypted together with your TeamDrive username. If you register a new installation using the same TeamDrive username you could read your pss files also on the new installation. If you use an other username you cannot read the pss files. If you lost your pss files, you could not get your data back again. We have no possibility to give you access again.

@uluckas: Yes, this is a good question and I will give you the information how we made this secure, because the public key for the new installations are not available until you activate them. So, we couldn't use the public key to encrypt the invitation in this case. We are instead using your password, but not directly, because we need a key with 256 bit length for the AES encryption. During the registration process of a device we are generating a 256 bit hash based on your password. If you register a new device, you will recieve this special encrypted invitation which will decrypted again with the 256 bit hash based on the same password. But this is only working, if you use the same password for all installations. You could test it: Create a new space on an existing client and invite your devices. Now, change your password during the registration process of a new client and you will not see the invitations in the new client, because this one will use a different 256 bit hash based on your new password (you will not see an error message, because we are just skipping invitations which could not be decrypted; you will only see an error in the log files). You have to invite the new device again using the normal Public-Private-Key invitation process.

Regards E. Pruehs
EPruehs
TeamDrive Team Member
 
Posts: 169
Joined: 17 Jul 2008, 18:05

Re: Are invitations secure?

Postby zwergnase » 08 Jul 2012, 14:56

@ EPruehs,
Another question: I have an account and Teamdrive installed on PC 1. When I install Teamdrive on PC 2 it will ask for my password. Is this password sent to the Teamdrive server or only a hash? Because if Teamdrive knows my password they can decrypt my invitations to my PC 2 and they will know my .pss files...
Thanks!
zwergnase
 
Posts: 1
Joined: 08 Jul 2012, 14:38


Return to Feedback

Who is online

Users browsing this forum: No registered users and 13 guests