[tahoe-dev] [tahoe-lafs] #795: append-only files
tahoe-lafs
trac at allmydata.org
Sat Aug 22 17:45:17 PDT 2009
#795: append-only files
--------------------------+-------------------------------------------------
Reporter: warner | Owner:
Type: enhancement | Status: new
Priority: major | Milestone: undecided
Component: code-mutable | Version: 1.5.0
Keywords: | Launchpad_bug:
--------------------------+-------------------------------------------------
Comment(by warner):
More notes:
Basically, each append-only-able file would have three keypairs:
* A: the whole-file-changing DSA keypair (As/Av)
* B: an appending DSA keypair (Bs/Bv)
* C: an appending RSA (encryption) keypair (Ce/Cd)
The writecap would get you everything, the appendcap gets you
Bs+Ce, and the readcap gets you just the three
verification/decryption keys Av+Bv+Cd. The server must know (and
enforce with) the verification keys Av+Bv.
The server would be responsible for:
* only allowing full-file rewrites that are signed by As
* accepting "append" messages signed by Bs and appending them
to the file (or putting them in a unique file in the share
directory, or something)
Andy the Appendcap-holder would need to encrypt his message with
Ce, sign it with Bs, then send it to the servers. Rose the
readcap-holder would check all the signature and then use Cd to
decrypt the append messages. Val the verifycap-holder needs to be
able to check the hashes and signatures on the append messages,
but not decrypt them (so we need encrypt-then-sign, instead of
sign-then-encrypt). And Rob the Repairer needs to be able to make
new shares out of everything, so the body being signed should
contain the share hash tree root. Each append message will be
erasure-coded separately.
Every once in a while, Wally the writecap holder might merge all
the append messages down into the "base object". Until this
happened, a colluding set of servers could discard arbitrary
append messages (meaning the file would not be monotonically
increasing). There might be ways to have each message include the
hash of the previous ciphertext to detect this sort of thing
(forcing the server to discard all-or-nothing, restoring
monotonicity, but introducing race conditions).
Maybe "add-only collection" would be a better model for this,
instead of implying that the object contains a linear sequence
of bytes. In fact, we might say that the objects stored in this
collection are arbitrary strings, with IDs based upon hashing
their contents, and make the append(X) operation be idempotent,
and give readers an unsorted set of these strings. This would
make things like the add-only directory easier to model.
To turn this into a dirnode, the append message would probably
contain a "proposed child name" and child readcap/writecap.
If/when Wally merges down the file, any name conflicts would be
resolved (by appending "(1)", or whatever) then.
Preserving transitive-readonlyness probably requires that both
writecap holders and appendcap holders (Wally and Andy) be able
to get to the same symmetric key (the child-writecap
superencryption key). One noteable difference with the normal
mutable-file layout is that this child-writecap key must *not*
let you derive the read key. Rose the readcap holder can see the
(encrypted) child-writecap column but can't decrypt it. Andy the
appendcap holder can't see the child-writecap column ciphertext,
but if he could, he could decrypt it (since he's supposed to be
able to put child-writecaps somewhere that Wally can read them).
This reveals a collusion attack: Andy and Rose could work
together to learn the child writecaps.
So child-writecaps in append messages must be encrypted to the
writecap holder, and not to anybody else. This suggests we need
another encryption keypair, De/Dd, in which the writecap holder
gets Dd, and everybody else gets De (but only Andy will use it,
because those messages must also be signed by Bs, held only by
Andy and Wally). This can't be a combined sign+encryption key,
which might save space, since Val and Rob need Bv to verify
those append messages later.
--
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/795#comment:2>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid
More information about the tahoe-dev
mailing list