Changes between Version 24 and Version 25 of NewCaps/WhatCouldGoWrong


Ignore:
Timestamp:
2009-10-11T03:34:38Z (15 years ago)
Author:
davidsarah
Comment:

add footnote 6

Legend:

Unmodified
Added
Removed
Modified

  • NewCaps/WhatCouldGoWrong

    v24 v25  
    55||2||unauthorized read||attack the encryption of ''K1'' with ''R''||anyone||any one file||the security of the encryption scheme used for ''K1'', and the secrecy of the read-key ''R''||2^min(''n'',''k'')^||
    66||3||forgery of immutable file||generate a matching read-cap (''R'',''T'') for someone else's file||anyone||any one file||the hash function's and cap format's second-preimage resistance on (''R'',''T''). This also depends on the encryption of ''K1'' being deterministic and correct.||2^''n''+''t''^||
    7 ||4||roadblock or speedbump [footnote 2]||generate (''K1enc'',''Dhash'',''V'') that hash to someone else's ''T'', and copy their ''S''||anyone||any one file||the hash function's and cap format's second-preimage resistance on ''T''||2^''t''^||
     7||4||roadblock or speedbump [footnote 2]||generate (''K1enc'',''Dhash'',''V'') that hash to someone else's ''T'', and copy their ''S''||anyone [footnote 6]||any one file||the hash function's and cap format's second-preimage resistance on ''T''||2^''t''^||
    88||5||unauthorized read||attack the encryption of the plaintext with ''K1''||anyone||any one file||the security of the encryption scheme used for the plaintext, and the secrecy of the encryption key ''K1''. The latter also depends on the security and seeding of the RNG that generated it.||2^''k''^||
    99||6||unauthorized read||figure out the input to the hash function that generates ''S''||anyone||any one file||the hash function's onewayness for (''R'',''T'') -> ''S''||brute force on ''R'' is !#2||
     
    28285. Brute force costs assume a single-target attack that is expected to succeed with high probability. Costs will be lower for attacking multiple targets or for a lower success probability. (Should we give explicit formulae for this?)
    2929
     306. ''roadblock''/''speedbump'' attacks could be restricted to holders of a read cap by use of an extra signature, as in the Elk Point 3 design (diagram at http://jacaranda.org/tahoe/mutable-addonly-elkpoint-3.svg for mutable files).
     31
    3032
    3133http://allmydata.org/pipermail/tahoe-dev/2009-October/002959.html