[tahoe-dev] [tahoe-lafs] #723: helper: client should verify ciphertext hashes and UEB

tahoe-lafs trac at allmydata.org
Sun May 31 12:46:27 PDT 2009


#723: helper: client should verify ciphertext hashes and UEB
---------------------------+------------------------------------------------
 Reporter:  warner         |           Owner:           
     Type:  defect         |          Status:  new      
 Priority:  major          |       Milestone:  undecided
Component:  code-encoding  |         Version:  1.4.1    
 Keywords:  helper         |   Launchpad_bug:           
---------------------------+------------------------------------------------
 Prompted by a question from David-Sarah Hopwood, I spent some time today
 reviewing the helper code, and realized that the client should be doing
 more verification of the data that the helper returns to it. Specifically,
 the client should:

  * locally compute the ciphertext hashes (flat and Merkle tree), in
 {{{upload.EncryptAnUploadable}}}
  * compare these against the versions returned by the helper, in
 {{{AssistedUploader._build_verifycap}}}
 {{{upload_results.uri_extension_data}}}
  * compute and compare the resulting UEB hash

 This would prevent the helper from causing an integrity violation. With
 the present behavior, the helper can flip bits in the ciphertext (or
 upload a completely unrelated ciphertext of the same length) and return
 the resulting ciphertext hash to the trusting client. Because the client
 doesn't perform any validation of the response, it will simply build and
 return the resulting filecap. Later, when someone attempts a download with
 this filecap, they will receive the altered ciphertext (but it will match
 the hash provided by the helper) and try to decrypt it. Since we removed
 the plaintext hashes in [2331],[2337],[2338],[3286], the downloader hash
 no way to check the plaintext either, and will return corrupted plaintext
 to the end user.

 With the current codebase, this won't be too much work. But when
 [http://allmydata.org/trac/pycryptopp/ticket/18 pycryptopp#18] (allow
 random-access AES-CTR encryption) is fixed, I'd like to improve the
 assisted-uploader code to be more efficient in the resumed-upload case (by
 not encrypting-then-discarding all the previously-uploaded data), at which
 point this locally-generate-hashes fix would become more difficult. Or
 rather, I might have to forego the resumed-upload improvement to retain
 the don't-rely-on-helper-for-integrity property that this ticket would
 provide.

-- 
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/723>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid


More information about the tahoe-dev mailing list