[tahoe-dev] Fwd: Small-key DSA variant
Brian Warner
warner at lothar.com
Wed Aug 26 19:16:46 PDT 2009
David-Sarah Hopwood wrote:
> and hence are verifiable by the same public key (their own key, that
> is, not someone else's). This is a "duplicate signature" attack in the
> terminology of <http://citeseer.ist.psu.edu/stern02flaws.html>.
>
> Is that a valid attack on the intended security properties of Tahoe? I
> think probably not, provided that no-one expects these signatures to
> guarantee nonrepudiability.
Incidentally, one idea we've kicked around is to let mutable filecaps be
augmented with an extra hash-of-the-contents field, to turn them into
immutable filecaps. The creator could choose their own tradeoff between
cap-length and verification strength (which would include
nonrepudiability too).
A secondary motivation would be how it relates to future "LDMF" mutable
files, in which we're planning to include versioning. The readcap+hash
cap would basically point to a mutable slot (the readcap) and a specific
version of the file (the hash). The hash could be short, if you don't
mind being vulnerable to the writecap holder.
cheers,
-Brian
More information about the tahoe-dev
mailing list