[tahoe-dev] protecting against bugs in our own crypto code

zooko zooko at zooko.com
Tue May 6 13:34:11 PDT 2008


On May 6, 2008, at 2:01 PM, Brian Warner wrote:

>> Fortunately, we can have both integrity-check on the plaintext, and
>> immunity to the question of such attacks by using a MAC instead of a
>> secure hash, where the MAC key is (derived from) the encryption key.
>> As a bonus, we can get reduced CPU usage and smaller Capability
>> Extension Blocks compared to a secure hash of the plaintext by using
>> the modern Carter-Wegman MAC such as Poly1305-AES or VMAC-AES-128.
>
> Two other alternatives we might consider:
>
>  encrypt the plaintext hash(es)

Why would this be better than a MAC?

A fair answer would be "Because we understand secure hashes and  
encryption better than we understand MACs, and other people do, too.".

Is that what you were thinking?

Hm...  Actually, we would like for people without read-capability,  
but with only verify-capability to be able to verify this integrity  
check, right?  So then the secret key for the MAC, or equivalently  
the encryption key for encrypting the hash, should perhaps be  
associated with the verify cap rather than with the read-cap.  But of  
course the verify cap is (currently) public.

Hm.  This is hard to think about.


> One design goal is to allow us to verify the hashes one segment at  
> a time.
> This is the reason for the plaintext/ciphertext merkle trees. If we  
> go with a
> MAC or an encrypted hash, we need to make sure we build a merkle  
> tree out of
> them to retain this property.

Perhaps we should distinguish between a cryptographic integrity check  
and a "runtime-self-check".  If we did that, then someone might, for  
example, watch a whole movie while relying on a secure hash Merkle  
tree for integrity of the movie, only at the end to get an internal  
self-check error saying that, while the crypto checked out, the  
redundant MAC on the flat plaintext didn't.  Would that be okay?   
(This could happen only if there were a bug in our crypto, or a bug  
in our self-check, or an attack on the secure hashes but not on the  
MAC.)

Something else that perhaps we should distinguish is different  
capabilities which are partly extruded into the Capability Extension  
Block.  There are two levels of privilege for immutable files: read  
(which gives you the plaintext) and verify (which gives you the  
ability to verify that the ciphertext is correct but not the ability  
to read the plaintext).  There are three levels of mutable files:  
write, read, and verify.  There is discussion about other kinds of  
privilege that we might want to separate: deep-verify separate from  
verify and shallow-read-only separate from deep-read-only have been  
proposed.

It might make sense to ask, for each thing in the Capability  
Extension Block, "Which capability is *this* thing part of?".

Regards,

Zooko



More information about the tahoe-dev mailing list