Context Navigation

Changes between Version 48 and Version 49 of NewCaps/WhatCouldGoWrong

Timestamp:: 2009-10-21T00:54:23Z (15 years ago)
Author:: davidsarah
Comment:: to prevent some attacks, hash_r must be a suitable KDF (sort-of implied by secrecy of R, but better to be explicit)

Legend:

: Unmodified
: Added
: Removed
: Modified

NewCaps/WhatCouldGoWrong

-                      v48
+                      v49
 ||#||''what bad thing could happen''||''how''||''who could do it''||''what could they target''||''what crypto property prevents it''||''how expensive to brute force''||
 ||1||shape-shifter immutable file [footnote 1]||collide read-cap (''R'',''T'')||creator of a file||their own file||the hash function's and cap format's collision resistance on the read-cap (''R'',''T''). This also depends on the encryption of ''K1'' being deterministic and correct.||approx sqrt(2.''p'').2^(''r''+''t'')/2^ [footnotes 7,8]||
 ||2||unauthorized read||attack the encryption of ''K1'' with ''R''||anyone||any one file||the security of the encryption scheme used for ''K1'', and the secrecy of the read-key ''R''||''p''.2^min(''r'',''k'')^||
 ||3||forgery of immutable file||generate a matching read-cap (''R'',''T'') for someone else's file||anyone||any one file||the hash function's and cap format's second-preimage resistance on (''R'',''T''). This also depends on the encryption of ''K1'' being deterministic and correct.||(''p''/''N'').2^''r''+''t''^ [footnotes 5,8]||
+||1||shape-shifter immutable file [footnote 1]||collide read-cap (''R'',''T'')||creator of a file||their own file||the hash function's and cap format's collision resistance on the read-cap (''R'',''T''). This also depends on the encryption of ''K1'' being deterministic and correct, and on the suitability of hash_r as a KDF (key derivation function).||approx sqrt(2.''p'').2^(''r''+''t'')/2^ [footnotes 7,8]||
+||2||unauthorized read||attack the encryption of ''K1'' with ''R''||anyone||any one file||the security of the encryption scheme used for ''K1'', the secrecy of the read-key ''R'', and the suitability of hash_r as a KDF.||''p''.2^min(''r'',''k'')^||
+||3||forgery of immutable file||generate a matching read-cap (''R'',''T'') for someone else's file||anyone||any one file||the hash function's and cap format's second-preimage resistance on (''R'',''T''). This also depends on the encryption of ''K1'' being deterministic and correct, and on the suitability of hash_r as a KDF.||(''p''/''N'').2^''r''+''t''^ [footnotes 5,8]||
 ||4||roadblock or speedbump [footnote 2]||generate (''K1enc'',''Dhash'',''V'') that hash to someone else's ''T'', and copy their ''S''||anyone [footnote 6]||any one file||the hash function's and cap format's second-preimage resistance on ''T''||(''p''/''N'').2^''t''^||
 ||5||unauthorized read||attack the encryption of the plaintext with ''K1''||anyone||any one file||the security of the encryption scheme used for the plaintext, and the secrecy of the encryption key ''K1''. The latter also depends on the security and seeding of the RNG that generated it.||''p''.2^''k''^||