Changes between Version 34 and Version 35 of NewCaps/WhatCouldGoWrong


Ignore:
Timestamp:
2009-10-11T15:52:09Z (15 years ago)
Author:
davidsarah
Comment:

generalize attack costs for low-success-probability and multi-target attacks

Legend:

Unmodified
Added
Removed
Modified

  • NewCaps/WhatCouldGoWrong

    v34 v35  
    44||#||''what bad thing could happen''||''how''||''who could do it''||''what could they target''||''what crypto property prevents it''||''how expensive to brute force'' [footnote 5]||
    55||1||shape-shifter immutable file [footnote 1]||collide read-cap (''R'',''T'')||creator of a file||their own file||the hash function's and cap format's collision resistance on the read-cap (''R'',''T''). This also depends on the encryption of ''K1'' being deterministic and correct.||2^(''r''+''t'')/2^||
    6 ||2||unauthorized read||attack the encryption of ''K1'' with ''R''||anyone||any one file||the security of the encryption scheme used for ''K1'', and the secrecy of the read-key ''R''||2^min(''r'',''k'')^||
    7 ||3||forgery of immutable file||generate a matching read-cap (''R'',''T'') for someone else's file||anyone||any one file||the hash function's and cap format's second-preimage resistance on (''R'',''T''). This also depends on the encryption of ''K1'' being deterministic and correct.||2^''r''+''t''^ [footnote 7]||
    8 ||4||roadblock or speedbump [footnote 2]||generate (''K1enc'',''Dhash'',''V'') that hash to someone else's ''T'', and copy their ''S''||anyone [footnote 6]||any one file||the hash function's and cap format's second-preimage resistance on ''T''||2^''t''^||
    9 ||5||unauthorized read||attack the encryption of the plaintext with ''K1''||anyone||any one file||the security of the encryption scheme used for the plaintext, and the secrecy of the encryption key ''K1''. The latter also depends on the security and seeding of the RNG that generated it.||2^''k''^||
     6||2||unauthorized read||attack the encryption of ''K1'' with ''R''||anyone||any one file||the security of the encryption scheme used for ''K1'', and the secrecy of the read-key ''R''||2^min(''r'',''k'').''p''||
     7||3||forgery of immutable file||generate a matching read-cap (''R'',''T'') for someone else's file||anyone||any one file||the hash function's and cap format's second-preimage resistance on (''R'',''T''). This also depends on the encryption of ''K1'' being deterministic and correct.||2^''r''+''t''^.''p''/''N'' [footnote 7]||
     8||4||roadblock or speedbump [footnote 2]||generate (''K1enc'',''Dhash'',''V'') that hash to someone else's ''T'', and copy their ''S''||anyone [footnote 6]||any one file||the hash function's and cap format's second-preimage resistance on ''T''||2^''t''^.''p''/''N''||
     9||5||unauthorized read||attack the encryption of the plaintext with ''K1''||anyone||any one file||the security of the encryption scheme used for the plaintext, and the secrecy of the encryption key ''K1''. The latter also depends on the security and seeding of the RNG that generated it.||2^''k''^.''p''||
    1010||6||unauthorized read||figure out the input to the hash function that generates ''S''||anyone||any one file||the hash function's onewayness for (''R'',''T'') -> ''S''||brute force on ''R'' is !#2||
    11 ||7||unauthorized deletion||brute force KD||anyone||any one file||secrecy of ''KD''||2^''d''^||
    12 ||8||unauthorized deletion||figure out a working destroy key KD from Dhash||anyone||any one file||the hash function's preimage resistance on ''Dhash''||2^min(''d'',''dh'')^||
     11||7||unauthorized deletion||brute force KD||anyone||any one file||secrecy of ''KD''||2^''d''^.''p''/''N''||
     12||8||unauthorized deletion||figure out a working destroy key KD from Dhash||anyone||any one file||the hash function's preimage resistance on ''Dhash''||2^min(''d'',''dh'')^.''p''/''N''||
    1313||9||denial of service||prevent access to servers holding sufficient shares (by controlling some of them, or by attacking them or the network)||anyone||any file||not prevented by crypto||n/a||
    14 ||10||cause invalid share to verify||generate (''K1enc'',''Dhash'',''V'') that hash to someone else's (''T'',''U''), and copy their ''S''||anyone||any one file||the hash function's second-preimage resistance on (''T'',''U'')||2^''t''+''u''^ [footnote 7]||
     14||10||cause invalid share to verify||generate (''K1enc'',''Dhash'',''V'') that hash to someone else's (''T'',''U''), and copy their ''S''||anyone||any one file||the hash function's second-preimage resistance on (''T'',''U'')||2^''t''+''u''^.''p''/''N'' [footnote 7]||
    1515||11||undeletion [footnote 3]||restore a deleted file's shares by controlling the relevant servers||anyone||any one file||not prevented by crypto||n/a||
    16 ||12||undeletion [footnote 3]||generate matching (''R'',''T'',''U'') for a deleted file||anyone||any one file||the hash function's and cap format's second-preimage resistance on (''R'',''T'',''U'')||2^''r''+''t''+''u''^ [footnote 7]||
     16||12||undeletion [footnote 3]||generate matching (''R'',''T'',''U'') for a deleted file||anyone||any one file||the hash function's and cap format's second-preimage resistance on (''R'',''T'',''U'')||2^''r''+''t''+''u''^.''p''/''N'' [footnote 7]||
    1717||13||accidental collision||storage indices (''S1'',''T1'') and (''S2'',''T2'') collide accidentally||n/a||any two files||approximately random distribution of hash function outputs||[footnote 4]||
    1818
     
    2020
    2121(The notes to the diagram assume ''k'' == ''r''.)
     22
     23''p'' <= 1 is the success probability of an attack. ''N'' is the number of targets for preimage attacks; this assumes that the attacker has stored the hashes for ''N'' files and is content with finding a preimage for any of them.
    2224
    2325