Messages

@g3gg0

Have a 60D, but not running ML and don't want to risk (soft)bricking it. I'm low on time too, but I'll keep it on my agenda.

Hi g3gg0,
great to see such a function coming up. However, when it comes to implementing crypto there are a few pitfalls and it seems you didn't manage to stay clear of all of them. I had a quick glance at the code (which is easy to read, good work on that) and with the current state of affairs I'd issue a warning that io_crypt should not be considered as safe unless you just want to hide photos of upcoming christmas presents from your spouse.

The biggest issue I have with your implementation is the selfmade-streamcypher based on the 64-bit LFSR. It just too easy to break. Also using it in the hash function to derive a key from the password (where the password is alphanumeric only and no salt is added) reduces the strength further. Also, you have to add some fresh randomness for every picture or you get the same keystream for different pictures. XORing two encrypted pictures the removes the keystream and returns the difference of the pictures to you.
The next issue is using deterministic RSA. As the symmetric key is only 64 bits (and not 128 as stated in https://bitbucket.org/hudson/magic-lantern/src/703ee626326d7cb310b087a337b9dad2b2d642c4/modules/io_crypt/hash_password.c?at=unified#cl-45) given a series of encrypted pictures an somewhat powerful adversary has a non-negligible chance of guessing a key.
Finally there is no protection against malicious modification of pictures. An attacker may alter some parts of the picture at will. This will likely show up as random noise (instead of some person or object that the attacker wanted removed). But with some sort of message authentication you could at least prove that the manipulation happened after writing the file to the SD-Card.

The great thing is: You showed that it is possible to do on-the-fly encryption on the camera. That is the important part. The next step is putting in good crypto in the right way. Have a look at http://tweetnacl.cr.yp.to/software.html This should compile without much fiddling and can replace your RSA code. (It might be even faster.) For password-based encryption you still will have to find an appropriate function for key derivation. The most common is PBKDF2 and it should not be to hard to adopt e.g. the Code from OpenBSD (http://bxr.su/OpenBSD/lib/libutil/pkcs5_pbkdf2.c).

If you have questions or need any assistance, just drop me a pm. I'd love to see io_crypt mature.