#86 closed enhancement (wontfix)
add a check block to the front of the plaintext, to verify the correct key
Reported by: | warner | Owned by: | nobody |
---|---|---|---|
Priority: | minor | Milestone: | eventually |
Component: | code-encoding | Version: | 0.6.0 |
Keywords: | encoding integrity | Cc: | |
Launchpad Bug: |
Description
A cheap way to verify that the decoding process is using the correct AES key would be to add a block of well-known contents at the beginning of the plaintext during encryption, and to verify that it is still present during decryption.
This might also detect certain failures in FEC, although there are probably a number that would go undetected. It would also not catch bugs like the AES-CTR-mode bug we had (which was only triggered by non-blocksize reads).
But it would be cheap, and would detect the most common case (somebody mis-typing their URI).
Change History (6)
comment:1 Changed at 2007-08-14T19:00:06Z by warner
- Component changed from code to code-encoding
- Owner somebody deleted
comment:2 Changed at 2007-08-20T17:56:35Z by zooko
- Milestone changed from undecided to 0.6.0
- Owner set to zooko
- Status changed from new to assigned
comment:3 Changed at 2007-09-17T21:29:48Z by zooko
- Milestone changed from 0.6.0 to undecided
- Owner changed from zooko to nobody
- Status changed from assigned to new
Brian points out that nowadays we use the secure hash of the symmetric key as the storage index. Therefore, if someone has mistyped their symmetric key, then they'll never download anything at all.
In theory, someone in the future might want to use the Tahoe crypto format without using the Tahoe data storage. (For example, a future version of Tahoe might be able to download the ciphertext of a file even if the secret key of a file is corrupted.) So I'm moving this ticket to the "milestone: undecided" bucket.
comment:4 Changed at 2007-09-25T04:36:03Z by zooko
- Resolution set to wontfix
- Status changed from new to closed
I'm resolving this as wontfix. If in the future we or someone else uses our storage in such a way that you can end up with the wrong decryption key for your ciphertext then we should return to this idea.
comment:5 Changed at 2007-09-25T04:36:08Z by zooko
- Version changed from 0.4.0 to 0.6.0
comment:6 Changed at 2009-12-13T01:16:23Z by davidsarah
- Keywords integrity added
#453 [safely add plaintext_hash to immutable UEB] would address the same integrity issue, for immutable files and possibly also for mutable files depending on the implementation.
This is part of the "long-term data reliability" task. I would like to see it done for v0.6.