[tahoe-lafs-trac-stream] [tahoe-lafs] #2018: padding to hide the size of plaintexts

tahoe-lafs trac at tahoe-lafs.org
Tue Jul 23 17:56:01 UTC 2013 

#2018: padding to hide the size of plaintexts
-------------------------+-------------------------------------------------
     Reporter:  zooko    |      Owner:  nejucomo
         Type:           |     Status:  new
  enhancement            |  Milestone:  undecided
     Priority:  normal   |    Version:  1.10.0
    Component:  code-    |   Keywords:  confidentiality privacy compression
  encoding               |  newcaps research
   Resolution:           |
Launchpad Bug:           |
-------------------------+-------------------------------------------------

Comment (by nejucomo):

 Replying to [comment:8 zooko]:
 > I'm not sure how to proceed with the threat model you suggest, nejucomo.
 The avenue of information that you mention (range updates) is closely to
 the one Marsh Ray mentioned (comment:4).
 >
 > At the moment I feel blocked, because I'm not sure how to proceed with
 the threat model. My feeling is, if I want to make progress on this I
 should ignore the whole idea of a threat model and move ahead with
 implementation! That sounds wrong, but what's the next-step on the threat
 model?

 Let's start here:

 * What specific confidentiality claims can we make to users about this
 feature?

 Perhaps we should review existing threat models for other storage
 applications which have confidentiality-from-storage-operator
 requirements.


 Another way to approach the threat model is to show a tangible
 vulnerability for confidentiality of the current `LAFS` storage (without
 padding).  Then demonstrate that padding thwarts that to some degree.
 Some interesting challenges:

 As a storage operator can I deduce with > 50% accuracy that a particular
 share:

 * represents a directory?
 * represents a directory with N children.
 * represents a directory with N children with a total of K bytes of child
 edge names.
 * is part of a well known specific directory structure? ''eg.'' the
 `linux` source.
 * is part of a well known general directory structure? ''eg.'' "this is a
 git repository" or "this is a linux home directory".
 * is a well known general file format?  ''eg.'' "this is an ssh private
 key"
 * correlations amongst the above.  ''eg.'' given the probability that
 share A is a home directory and B is a `.ssh` directory inside it, the
 probability that share C is a private ssh key is P.

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2018#comment:11>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list