在同步密码有效载荷时对抗时钟偏移的力量
A good password manager should be able to securely store, sync, and even autofill your username and password when logging into websites and apps. A password manager like…Dropbox Passwords!
一个好的密码管理器应该能够安全地存储、同步,甚至在登录网站和应用程序时自动填充你的用户名和密码。一个密码管理器如......Dropbox密码!
When we released Dropbox Passwords in the Summer of 2020, it was important we ensured that a user’s logins would always be available—and up to date—on any device they used. Luckily, Dropbox has some experience here, and we were able to leverage our existing syncing infrastructure to copy a user’s encrypted password info, known as a payload, from one device to another. However, while implementing this crucial component, we encountered an unexpected syncing issue where, sometimes, out-of-date login items would overwrite newer, more recent changes.
当我们在2020年夏天发布Dropbox密码时,我们必须确保用户的登录信息在他们使用的任何设备上都是可用的,并且是最新的。幸运的是,Dropbox在这方面有一些经验,我们能够利用我们现有的同步基础设施,将用户的加密密码信息(被称为有效载荷)从一个设备复制到另一个设备。然而,在实施这一关键组件时,我们遇到了一个意想不到的同步问题,有时,过时的登录项目会覆盖较新的、较近的变化。
Eventually we found a solution that built on prior Dropbox syncing work. But it also involved contemplating the very nature of time itself.
最终,我们找到了一个建立在先前Dropbox同步工作基础上的解决方案。但这也涉及到对时间本身本质的思考。
The two-way merge
双向合并
Dropbox Passwords uses zero-knowledge encryption. This means the private encryption key for a user’s passwords is only stored on their local devices, and the server is unable to decrypt them. While this is good for security purposes, it means we need to rely on the client to manage syncing and merging, and thus cannot rely on the server as a source of truth for recency as we typically would.
Dropbox密码使用零知识加密。这意味着用户密码的私人加密密钥只存储在他们的本地设备上,而服务器无法解密它们。虽然这对安全来说是好事,但这意味着我们需要依靠客户端来管理同步和合并,因此不能像通常那样依靠服务器作为真实性的来源。
Initially, our sync algorithm used a two-way merge. If a user edited an existing login item—thus, modifying the client’s local payload—the client performed the following steps:
最初,我们的同步算法使用了双向合并的方式。如果一个用户编辑了一个现有的登录项目--也就是修改了客户端的本地有效载荷--客户端会执行以下步骤。
- Update the local payload with the new details and current time.
- 用新的细节和当前时间...