Security of encyption password

This forum is no longer monitored by the BackupAssist support team, but is available to the public to use for assistance with technical issues relating to BackupAssist v5.x.x.

Moderators: casey.burns, michael.jones, Michael F, Stuart, TimN, Mike D

Security of encyption password

Postby directpath » Tue Jan 26, 2010 12:18 pm

I asked this question a year ago but I don't think I was understood. We're going to upgrade to v5 so the answer may be different...

When we set up a new backup job and type in a password to encrypt it, BA stores this password somewhere so it can keep using it over and over each time the backup runs.

1) Where on the server does it store the password? e.g registry, xml file in a users profile, or in the BA installation directory?

2) Does it encrypt this password and if so what type of encyption is used? (I am not talking about the backup file, rather the password BA uses next time it runs the backup job & encryption)

This is a very important set of questions because we run 2 backups each night. One is of the entire server that we don't encrypt because it takes too long to do, and another of our database which we do encrypt. Now, if the backup cartridge was stolen someone could restore the whole Windows installation onto their computer complete with BA. To decrypt our database they would try to look where BA stores the encryption password. Hopefully this makes sense? I look forward to your reply.

Thanks,
Gary.
directpath
User
 
Posts: 18
Joined: Sat Jul 19, 2008 8:05 am

Re: Security of encyption password

Postby Sally » Thu Jan 28, 2010 2:34 am

Thank you for contacting BackupAssist.

We encrypt all remembered passwords using AES256 encryption, and these are saved with the other configuration files under the BackupAssist “data” directory:
• for older OS’s under “c:\documents and settings\all users\application data\BackupAssist V5\”
• for newer OS’s under “c:\programdata\BackupAssist V5\”
Note that the “BackupAssist V5” is taken from the name of the install directory chosen, so if the user changes to install BA under “d:\programs\BackupAssist\” on an SBS08 box then the data directory will be “c:\programdata\BackupAssist\”.

I hope this provides you with the information that you are needing.
Sally
 

Re: Security of encyption password

Postby directpath » Thu Jan 28, 2010 8:37 am

I am shocked to see that the password is stored IN THE CLEAR! There is no AES encryption of it at all! I am looking at the file C:\ProgramData\BackupAssist v5\jobs\2.config...

...
<object id="2" typeref="2">
<compressionLevel typeref="12">Z_BEST_SPEED</compressionLevel>
<copyNTFSStreams typeref="4">True</copyNTFSStreams>
<encryptionRequired typeref="4">True</encryptionRequired>
<jobKey>2</jobKey>
<numberOfCompressorThreads typeref="11">20</numberOfCompressorThreads>
<password>helloworld</password>
<preserveHiddenAttribute typeref="4">True</preserveHiddenAttribute>
<preserveSystemAttribute typeref="4">True</preserveSystemAttribute>
<settingsVersion typeref="11">0</settingsVersion>
<suppressNTFSStreamsWarning typeref="4">False</suppressNTFSStreamsWarning>
<useDefaultNumberOfThreads typeref="4">True</useDefaultNumberOfThreads>
</object>
...

Please can you explain why my password to encrypt/decrypt a backup of very confidential files is being stored in the clear for anyone with access to the server or the system backup to view?

I look forward to your response.
Thanks.
directpath
User
 
Posts: 18
Joined: Sat Jul 19, 2008 8:05 am

Re: Security of encyption password

Postby Stuart » Thu Jan 28, 2010 9:59 am

Hi directpath,

It's Stuart here from the BackupAssist team, thanks for posting on our forum.

My deepest apologies regarding this situation. We have performed extensive testing in regards to password security and within our testing environment we found no issues with the encryption.
In saying this I have escalated your information directly to the development team leader so that it can be investigated further to make sure that in all cases the password is encrypted.

Would it also be possible for you to send in a set of diagnostic information so that we know exactly how you've got BackupAssist set up so that we can try replicate this in our testing environment also?
To send us diagnostic information please follow these steps:
1) Go to Contact Support (from the bottom-left corner of the console) -> Contact Support
2) Fill out the form and ensure that the Submit system diagnostics checkbox at the bottom is checked.

Yet again my apologies, I am unsure why this has happened and as stated above the development team are going to get onto this straight away. If you have anything to add please reply to my post or send an e-mail directly to support@backupassist.com.
Stuart Edwards
BackupAssist Support

*Have you tried restoring from your backups lately?*
User avatar
Stuart
Cortex I.T.
 
Posts: 768
Joined: Tue Sep 02, 2008 2:25 pm

Re: Security of encyption password

Postby directpath » Thu Jan 28, 2010 10:44 am

Thanks for taking note of my concern. I have just submitted a report as requested.

Let's suppose you can fix it so the password is encrypted before it's stored in the config file. In order to encrypt it you will need to use a key. So where are you storing this key for BA to access in order to decrypt the password? If it's hard coded into the BA exe or one of the dlls then it can be found by decompiling your code or if lucky by using a hex editor. I don't expect you to reveal what method you use in a public forum, but it would be useful to be given some reassurance that something very secure is being done (that actually works!).

Please let me know when you have a fix for the problem or if you need any specific info from me to reproduce the problem. Thank you.

Gary.
directpath
User
 
Posts: 18
Joined: Sat Jul 19, 2008 8:05 am

Re: Security of encyption password

Postby directpath » Wed Feb 03, 2010 12:12 pm

Any news on resolving this bug please?

Thanks,
Gary.
directpath
User
 
Posts: 18
Joined: Sat Jul 19, 2008 8:05 am

Re: Security of encyption password

Postby Stuart » Wed Feb 03, 2010 2:01 pm

Hi everyone,

Just an update that we have officially released version 5.4.3 which addresses the issue this forum is about. You can download version 5.4.3 from http://www.backupassist.com/downloads/r ... etupBA.exe.

All newly created jobs will have the password automatically encrypted successfully and any pre-v.5.4.3 jobs will be encrypted after it's been run after the next time the backup runs.

Let me know if you have any issues with this and I'll try to help out where i can.
Stuart Edwards
BackupAssist Support

*Have you tried restoring from your backups lately?*
User avatar
Stuart
Cortex I.T.
 
Posts: 768
Joined: Tue Sep 02, 2008 2:25 pm

Re: Security of encyption password

Postby directpath » Wed Feb 03, 2010 8:22 pm

Thanks for fixing this. I can confirm that the password looks encrypted in the new config files.
directpath
User
 
Posts: 18
Joined: Sat Jul 19, 2008 8:05 am


Return to Technical Support v5

Who is online

Users browsing this forum: No registered users and 1 guest