[tahoe-dev] Storing a small file leads to a weird read capability
David-Sarah Hopwood
david-sarah at jacaranda.org
Wed Apr 7 19:08:46 PDT 2010
Brian Warner wrote:
> The CHK mechanism is considered secure if the effort the attacker must
> expend to get your plaintext is sufficiently high (no better than random
> guessing). [...]
>
> LIT filecaps have the same property, but not derived from cryptography,
> because there is no ciphertext. The attacker gets nothing, and is asked
> to distinguish between hypothetical ciphertexts. If you reveal to me
> that you have a LIT file (perhaps indirectly, by asking my storage
> server for a mutable-directory share but then not fetching any immutable
> shares immediately afterwards), then I can probably assume that it's
> shorter that 65 bytes, but that leaves nearly 2**(8*65) possibilities,
> and I have no way to distinguish between them (I don't even have a
> SHA256 hash to use as an oracle). Clearly the attacker has nothing to
> work with, so they can't do better than random chance. (they don't even
> get length with LITs).
Subtle point: they don't get the length because LIT files don't have
write caps, so the potential weakness described in
<http://allmydata.org/trac/tahoe-lafs/ticket/925>, which can reveal
the length of a write cap, does not apply here.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
Url : http://allmydata.org/pipermail/tahoe-dev/attachments/20100408/782b293b/attachment.pgp
More information about the tahoe-dev
mailing list