use XSalsa20+AES-128 encryption

[zooko]

In order to protect against weaknesses in AES (such as timing or side-channel attacks, or cryptanalysis, possibly far in the future and applied against old ciphertexts), want to use a combined encryption of AES-128 and XSalsa20. Yu Xue (Student) and Jack Lloyd (Mentor) are working on implementing that mode for GSoC 2010:

​http://tahoe-lafs.org/trac/pycryptopp/ticket/46

This ticket is to integrate that encryption mode into Tahoe-LAFS. The steps are to define new capability versions, such as by inserting an X into the cap type designator:

​http://tahoe-lafs.org/pipermail/tahoe-dev/2010-August/004878.html ​http://tahoe-lafs.org/pipermail/tahoe-dev/2010-August/004879.html

And to make it so that caps of that new type get encrypted/decrypted with XSalsa20+AES-128 instead of with AES-256. For the first release of Tahoe-LAFS which includes that functionality, it will still by default create new caps using the old encryption of only AES-256. It is important that people feel free to upgrade to new versions of Tahoe-LAFS without having to take any steps to ensure backward-compatibility, and that means that the new version of Tahoe-LAFS must not, by default, produce caps that older versions of Tahoe-LAFS (such as v1.8.0) can't read.

​This tahoe-dev letter lists all the places where the current source code (which is Tahoe-LAFS v1.8.0c1) uses encryption:

• src/allmydata/dirnode.py@4539#L174
• src/allmydata/dirnode.py@4539#L293
• src/allmydata/immutable/filenode.py@4661#L166
• src/allmydata/immutable/upload.py@4655#L619
• src/allmydata/immutable/upload.py@4655#L728
• src/allmydata/mutable/filenode.py@4329#L131
• src/allmydata/mutable/filenode.py@4329#L136
• src/allmydata/mutable/publish.py@4329#L400
• src/allmydata/mutable/retrieve.py@4329#L518
• src/allmydata/util/fileutil.py@4609#L118