dnl Posted January 6, 2011 Share Posted January 6, 2011 I am new to ISY and to this forum so I may be writing about a topic that has been discussed before. Sorry if I am addressing old issues -- I did not find anything on this topic. I am a curious person who looks into things to see how they work. I examined the ZIPPED files in an ISY backup and was surprised to see the ISY logon id, logon password and email password are stored in the backup in plain text. Anyone with access to the backup can easily see what I would think is rather sensitive information. This may not be a problem for many or most people because the ZIP files can be stored on a computer that the user controls but, without thinking too hard about this, it seems to be a chink in the ISY's security armor. Would it create too many problems if a future version encrypted this information or at least made it harder to see (maybe XOR the characters with a binary mask known only to the firmware)? I hasten to add this issue is not important to me but I thought I would bring it up just in case it is important to others and has been overlooked. Link to comment
Michel Kohanim Posted January 6, 2011 Share Posted January 6, 2011 Hello dnl, You are correct. We do have plans of encrypting everything but it's not high on our priority list since backup files are not stored on a server (they are the responsibility of the customer to keep safe). The problem with encrypting the passwords is that we have to have a key to encrypt it so if the key is device unique, then the same backup will not work when restored on a different device. If it's a master key, then the problem is that all backup files will be encrypted with the same key which is basically just a little more secure than plain text. In short, it is in our plans but with low priority. With kind regards, Michel Link to comment
dnl Posted January 6, 2011 Author Share Posted January 6, 2011 Hi Michel, Thanks for the reply. It is easy to understand why this has a low priority. I have two more thoughts for whatever they may be worth. First, the encryption key could be provided by the user in the form of a passphrase, much the same as is done by PGP (Phil Zimmerman). Second, it might be easier to implement by writing the backup into a password-protected ZIP file (probably less secure but better than nothing). The password could be provided by the user and be optional -- no password, no protection. The passphrase or password could be stored in the ISY to eliminate prompts for restores into the same device. User input would be needed only if the backup was read into a different device. By the way, I am impressed with the level of comments in this forum by both UDI staff and your customers/clients/partners. Link to comment
Michel Kohanim Posted January 7, 2011 Share Posted January 7, 2011 Hello dnl, I love the idea of making the zip file password protected. This said, however, the main problem is with situations where an installer installs/configures the system and then leaves. Without having the password for the zip file - and in case of failure - the customer would have to start from scratch. We have to find a more robust way of handling this issue without having a master key while having provisions for when the user key gets lost. Do you have any thoughts? With kind regards, Michel Link to comment
dnl Posted January 7, 2011 Author Share Posted January 7, 2011 Hi Michel, I expect better minds than mine (namely you and others at UDI) have thought about this so it may be unlikely I have any thoughts that are better than what you have already considered. It seems to me the basic problems to overcome are: (1) protect the sensitive information; and (2) facilitate the recovery of information that is difficult or bothersome to recreate. It think in most (or all?) cases, the sensitive information is not so difficult to recreate. If this is true, then both needs can be achieved by separating the sensitive information from the rest and then encrypting or protecting only the sensitive information. If the encryption key is lost, the sensitive information would have to be recreated but the remaining information could be recovered without the key. If the sensitive information were saved in a separate file within the ZIP, that one file could either be encrypted or ZIPPED with an optional password. As device configurations are changed and expanded, users should write new backups. You could add some text to the backup dialog that prompts or reminds users of the ability to provide a password. That would help ensure they use a password that they know and not rely on what an installer did. It's not perfect but maybe better than what we have now? Link to comment
Michel Kohanim Posted January 7, 2011 Share Posted January 7, 2011 Hi dnl, Thanks so very much for your thoughts. That makes perfect sense. Perhaps we can add this feature when we add support for multiple users. I do appreciate your time and thoughts. With kind regards, Michel Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.