[tahoe-dev] protecting caps

Brian Warner warner at lothar.com
Sat Aug 6 20:34:19 PDT 2011 

On 8/1/11 10:16 PM, Joseph Ming wrote:

> The opposite question is also relevant I think: what extra precautions
> does tahoe take to protect the user from losing their root cap? If I
> understand the design correctly, without the root cap (or access to
> some stored cap somewhere) the user won't be able to access any of
> their data (or the portion of their data for which they don't have
> caps).

Correct.

The general tahoe design (when you use the usual "everything under one
dircap" approach) distills *all* your security down into that one
rootcap. We felt that was the simplest possible tool to provide, giving
users the best chance of correctly understanding how the system works
and therefore the best chance of using it correctly. The Tahoe Security
Mantra is:

 Knowledge of the rootcap is both necessary and sufficient to retrieve
 your data.

There's a tension between availability (being able to get to your data)
and confidentiality (making sure that other people cannot get to your
data). Having a single rootcap doesn't erase that tension, but it boils
it down to a single short string, which makes it easier to use other
tools to decide on which side of the availability/confidentiality
spectrum you want to land.

If you're most worried about forgetting your data (e.g. sentimental
photos of your grandchildren that you don't mind the whole world
seeing), then you'll want to store as many copies of your rootcap as
possible: mail it to yourself and your family, write it in a scrapbook,
publish it in the wall street journal, just flood it out to the whole
world. If you lose your email account, your computer, even your whole
house, you can still go to any library and get a copy of that newspaper
and rebuild your client and type in the rootcap and retrieve the data.

On the other hand, if you're most worried about other people seeing that
data (e.g. details of your evil plan to conquer the world, which you'd
rather self-destruct than let the League Of SuperDuperHeroes learn),
then you'd keep no more than one copy of your rootcap, in some highly
secret and/or hard-to-reach place. Maybe inside your head (but they're
too long for that). Maybe printed out in a safe deposit box (but what if
the bank president is part of the League?). Maybe in a safe rigged to
catch fire if someone gets the combination wrong.

Of course, you might feel somewhere in the middle about your data, so
you might take an intermediate position. E.g. you might keep a single
backup copy printed out in a safe-deposit box: if your computer dies,
you can recover access with a new computer, a trip to the bank, and some
typing.

And you might have both kinds of data, so you might put them in separate
directories and manage the two rootcaps differently.

> Assuming I store everything in tahoe and never share my caps with
> anyone else and then my harddisk where my cap was stored dies is
> stolen etc., have I lost everything?

Yes.

> Is there some other way to try to recover my data, maybe by scouring
> all nodes involved in storing it for caps that belong to me?

Nope. If that were possible, then the "necessary" part of the Mantra
wouldn't be true. Storage nodes don't get to see the plaintext of
anything they help store, so they don't know the contents of directory
nodes and couldn't help with such a search.

> Are users encouraged to save a copy of their root cap somewhere other
> than their harddrive? Is there any mechanism to help the user do
> something like that?

Yes, and not directly. Tahoe itself is like a raw tool: there's plenty
of room for layering additional tools on top of it. Early on (at
AllMyData) we discussed providing a basic secret-splitting tool (based
upon e.g. http://en.wikipedia.org/wiki/Secret_sharing) that would take
your privately-held rootcap and generate maybe 5 postcards, which you'd
mail to different friends (ideally who don't know each other), and then
later you could rebuild the rootcap by having at least three of them
read you back the contents. We never got around to building it, though.

Personally, I'd just print out ~/.tahoe/private/aliases (and a copy of
your tahoe.cfg, which isn't secret, to make it easier to rebuild the
client) on paper, and store it in a safe or safe-deposit-box. If you
keep all your data under the one rootcap listed in private/aliases, then
you only have to do this once, and never need to touch it unless you
lose the disk.

cheers,
 -Brian

More information about the tahoe-dev mailing list