[tahoe-dev] cleversafe says: 3 Reasons Why Encryption is Overrated

Russ Weeks rweeks at gmail.com
Fri Jul 24 17:14:40 PDT 2009 

Yikes, that All-Or-Nothing transform, that's an interesting algorithm.

Seems to me that it reduces the security of AES-256 to the security of
the dispersal algorithm.  If I control a subset of malicious nodes
within the distributed storage system, and I can convince the sender
(via DDOS or some network coordinate trickery, perhaps) to spread K
slices of user data amongst my nodes, then I can recover the user
data.

Why would I take a nice, robust, well-understood algorithm like
AES-256 and hobble it with my in-house dispersal algorithm?  Because
key management is hard?  It _is_ hard, definitely, and I don't quite
understand how TahoeLAFS approaches the problem (I guess it has to do
with these 'caps' you guys keep talking about), but we shouldn't
ignore the problem just because it's hard.

As for Reason #1, that computers get faster and faster: pick a key
size sufficiently large for you to retire well before your customers
come calling with pitchforks and torches.
As for Reason #3, that disclosure laws are a PITA: Any storage system
based on distributing erasure-encoded slices is going to enjoy those
benefits, right? I don't see how All-or-Nothing is a big win over a
key-management infrastructure.

-Russ

On Fri, Jul 24, 2009 at 6:33 AM, Zooko Wilcox-O'Hearn<zooko at zooko.com> wrote:
> [cross-posted to tahoe-dev at allmydata.org and cryptography at metzdowd.com]
>
> Disclosure:  Cleversafe is to some degree a competitor of my Tahoe-
> LAFS project.  On the other hand, I tend to feel positive towards
> them because they open-source much of their work.  Our "Related
> Projects" page has included a link to cleversafe for years now, I
> briefly collaborated with some of them on a paper about erasure
> coding last year, and I even spoke briefly with them about the idea
> of becoming an employee of their company this year.  I am tempted to
> ignore this idea that they are pushing about encryption being
> overrated, because they are wrong and it is embarassing.  But I've
> decided not to ignore it, because people who publicly spread this
> kind of misinformation need to be publicly contradicted, lest they
> confuse others.
>
> Cleversafe has posted a series of blog entries entitled "3 Reasons
> Why Encryption is Overrated".
>
> http://dev.cleversafe.org/weblog/?p=63 # 3 Reasons Why Encryption is
> Overrated
> http://dev.cleversafe.org/weblog/?p=95 # Response Part 1: Future
> Processing Power
> http://dev.cleversafe.org/weblog/?p=111 # Response Part 2:
> Complexities of Key Management
> http://dev.cleversafe.org/weblog/?p=178 # Response Part 3: Disclosure
> Laws
>
> It begins like this:
>
> """
> When it comes to storage and security, discussions traditionally
> center on encryption.  The reason encryption – or the use of a
> complex algorithm to encode information – is accepted as a best
> practice rests on the premise that while it’s possible to crack
> encrypted information, most malicious hackers don’t have access to
> the amount of computer processing power they would need to decrypt
> information.
>
> But not so fast.  Let’s take a look at three reasons why encryption
> is overrated.
> """
>
> Ugh.
>
> The first claim -- the today's encryption is vulnerable to tomorrow's
> processing power -- is a common goof, which is easy to make by
> conflating historical failures of cryptosystems due to having too
> small of a crypto value with failures due to weak algorithms.
> Examples of the former are DES, which failed because its 56-bit key
> was small enough to fall to brute force, and the bizarre "40-bit
> security" policies of the U.S. Federal Government in the 90's.  An
> example of the latter is SHA1, whose hash output size is *not* small
> enough to brute-force, but which is insecure because, as it turns
> out, the SHA1 algorithm allows the generation of colliding inputs
> much quicker than a brute force search would.
>
> Oh boy, I see that in the discussion following the article "Future
> Processing Power", the author writes:
>
> """
> I don’t think symmetric ciphers such as AES-256 are under any threat
> of being at risk to brute force attacks any time this century.
> """
>
> What?  Then why is he spreading this Fear, Uncertainty, and Doubt?
> Oh and then it gets *really* interesting: it turns out that
> cleversafe uses AES-256 in an All-or-Nothing Transform as part of
> their "Information Dispersal" algorithm.  Okay, I would like to
> understand better the cryptographic effects of that (and in
> particular, whether this means that the cleversafe architecture is
> just as susceptible to AES-256 failing as an encryption scheme such
> as is used in the Tahoe-LAFS architecture).
>
> But, it is time for me to stop reading about cryptography and get
> ready to go to work.  :-)
>
> Regards
>
> Zooko
> ---
> Tahoe, the Least-Authority Filesystem -- http://allmydata.org
> store your data: $10/month -- http://allmydata.com/?tracking=zsig
> I am available for work -- http://zooko.com/résumé.html
> _______________________________________________
> tahoe-dev mailing list
> tahoe-dev at allmydata.org
> http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
>

More information about the tahoe-dev mailing list