#925 assigned defect

Information leak to holders of a directory read cap, about whether each dir entry is writeable and the length of its write cap

Reported by: davidsarah Owned by: daira
Priority: normal Milestone: soon
Component: code-dirnodes Version: 1.5.0
Keywords: backward-compatibility privacy security Cc: zooko
Launchpad Bug:

Description (last modified by zooko)

The encryption of the rw_uri of a dirnode with the writekey of its directory is done in CTR mode, and is length-preserving (excluding the added salt and MAC tag which are fixed-length). This leaks the length of the plaintext rw_uri to a holder of the directory read cap. This is a relatively minor information leak, but it does reveal whether the object pointed to by each dirnode entry would be writeable to someone with the directory write cap -- if not then the ciphertext excluding salt and MAC will be zero-length.

(The directory readcap holder necessarily knows whether or not the object pointed to by the dirnode entry is mutable -- but if it is, then they don't have any need to know whether it is writeable.)

Padding to a fixed length could solve this, but there would be a backward-compatibility problem, because the padding would break earlier storage clients who wouldn't be expecting it. Starting from Tahoe-LAFS 1.6, we have addressed that by making _unpack_contents strip spaces from the end of the decrypted rw_uri. That potentially allows some future version to pad the URI with spaces to a fixed length (breaking only clients of versions before 1.6).

Change History (18)

comment:1 Changed at 2010-01-22T18:05:41Z by davidsarah

  • Keywords privacy added; confidentiality removed

Discloses only "information other than file contents."

comment:2 follow-up: Changed at 2010-01-23T13:19:02Z by davidsarah

The patch for #833 now implements the 'strip spaces from the front and end of the decrypted rw_uri' suggestion, since that code needed to change anyway.

comment:3 in reply to: ↑ 2 Changed at 2010-01-27T20:37:14Z by davidsarah

Replying to davidsarah:

The patch for #833 now implements the 'strip spaces from the front and end of the decrypted rw_uri' suggestion, since that code needed to change anyway.

I'm going to change this to strip spaces only from the end. Stripping them from the front would have an unnecessarily confusing interaction with prefix checks.

comment:4 Changed at 2010-03-09T19:14:37Z by davidsarah

  • Keywords forward-compatibility removed
  • Milestone changed from undecided to 2.0.0

The forward-compatibility part of this issue is fixed -- 1.6.0 strips spaces from the end -- but we can't break backward-compatibility yet.

comment:5 Changed at 2010-04-08T02:10:37Z by davidsarah

  • Keywords security added
  • Summary changed from Information leak to holders of a directory read cap, about whether each dir entry is writeable to Information leak to holders of a directory read cap, about whether each dir entry is writeable and the length of its write cap

comment:6 Changed at 2010-04-08T02:13:08Z by davidsarah

  • Description modified (diff)

comment:7 Changed at 2011-08-12T04:47:06Z by zooko

  • Milestone changed from 2.0.0 to 1.10.0

comment:8 Changed at 2011-08-12T04:47:17Z by zooko

  • Cc zooko added

comment:9 follow-up: Changed at 2011-08-12T17:53:12Z by zooko

  • Milestone changed from 1.10.0 to eventually

I briefly put this ticket into the 1.10 Milestone, but then I realized we don't want to break backwards compatibility with Tahoe-LAFS v1.6, because it ships with Ubuntu 10.04 Lucid:

http://packages.ubuntu.com/search?keywords=tahoe-lafs&searchon=names&suite=all&section=all

Lucid is an Ubuntu "Long Term Stable" release, is supported by the Ubuntu project and/or Canonical until 2015, and in all likelihood will be widely used at least until then. We should be cautious about making any change that breaks backward compatibility with Tahoe-LAFS v1.6.

Moving this ticket to Milestone "eventually".

comment:10 in reply to: ↑ 9 ; follow-up: Changed at 2011-08-12T23:41:12Z by davidsarah

Replying to zooko:

I briefly put this ticket into the 1.10 Milestone, but then I realized we don't want to break backwards compatibility with Tahoe-LAFS v1.6, because it ships with Ubuntu 10.04 Lucid:

http://packages.ubuntu.com/search?keywords=tahoe-lafs&searchon=names&suite=all&section=all

The forward compatibility fix was in Tahoe v1.6.0. Only versions *before* that would be broken.

comment:11 in reply to: ↑ 10 Changed at 2011-08-13T04:14:28Z by zooko

Replying to davidsarah:

The forward compatibility fix was in Tahoe v1.6.0. Only versions *before* that would be broken.

Oh, good! I remember you and I caring a lot about forward-compatibility back then, and now I'm glad we did. :-)

I'm happy to drop backward-compatibility with Tahoe-LAFS older than v1.6.

comment:12 Changed at 2013-07-07T23:18:41Z by zooko

  • Description modified (diff)

See also #2018, about padding of file contents.

comment:13 Changed at 2014-12-06T14:35:41Z by daira

  • Milestone changed from eventually to 1.12.0

comment:14 Changed at 2014-12-06T14:37:12Z by daira

  • Owner set to daira
  • Priority changed from minor to normal
  • Status changed from new to assigned

comment:15 Changed at 2016-03-22T05:02:25Z by warner

  • Milestone changed from 1.12.0 to 1.13.0

Milestone renamed

comment:16 Changed at 2016-06-28T18:17:14Z by warner

  • Milestone changed from 1.13.0 to 1.14.0

renaming milestone

comment:17 Changed at 2020-06-30T14:45:13Z by exarkun

  • Milestone changed from 1.14.0 to 1.15.0

Moving open issues out of closed milestones.

comment:18 Changed at 2021-03-30T18:40:19Z by meejah

  • Milestone changed from 1.15.0 to soon

Ticket retargeted after milestone closed

Note: See TracTickets for help on using tickets.