wiki:NewCaps/WhatCouldGoWrong

Version 10 (modified by davidsarah, at 2009-10-11T01:36:32Z) (diff)

--

This is about What Could Go Wrong with the "Elk Point 2" immutable file caps: http://jacaranda.org/tahoe/immutable-elkpoint-2.svg

#what bad thing could happenhowwho could do itwhat could they targetwhat crypto property prevents ithow expensive to brute force
1shape-shifter immutable file [footnote 1]collide read-cap (R,T)creator of a filetheir own filethe hash function's and cap format's collision resistance on the read-cap (R,T). This also depends on the encryption of K1 being deterministic and correct.2(n+t)/2
2unauthorized readattack the encryption of K1 with Ranyoneany one filethe cipher's security and the secrecy of the read-key R2n
3forgery of immutable filegenerate a matching read-cap (R,T) for someone else's fileanyoneany one filethe hash function's and cap format's second-pre-image resistance on (R,T)2n+t
4roadblock or speedbump [footnote 2]generate (K1enc,Dhash,V) that hash to someone else's T, and copy their Sanyoneany one filethe hash function's and cap format's collision resistance on T2t
5unauthorized readattack the encryption of the plaintext with K1anyoneany one filethe cipher's security and the secrecy of the encryption key K12k
6unauthorized readfigure out the input to the hash function that generates Sanyoneany one filethe hash function's pre-image resistance on Sbrute force on R is #2
7unauthorized deletionbrute force KDanyoneany one filesecrecy of KD2d
8unauthorized deletionfigure out the destroy key KD from Dhashanyoneany one filethe hash function's pre-image resistance on Dhashbrute force on KD is #7
9denial of serviceprevent access to servers holding sufficient shares (by controlling some of them, or by attacking them)anyoneany filenot prevented by crypton/a
10cause invalid share to verifygenerate (K1enc,Dhash,V) that hash to someone else's (T,U), and copy their Sanyoneany one filethe hash function's second-pre-image resistance on (T,U)2t+u
11undeletion [footnote 3]restore a deleted file's shares by controlling the relevant serversanyoneany one filenot prevented by crypton/a
12undeletion [footnote 3]generate matching (R,T,U) for a deleted fileanyoneany one filethe hash function's and cap format's second-pre-image resistance on (R,T,U)2n+t+u

where k = bitlength(K1), n = bitlength(R), t = bitlength(T), u = bitlength(U), d = bitlength(KD).

  1. shape-shifter immutable file: creator creates more than one file matching the immutable file readcap
  1. roadblock: attacker prevents uploader (including repairer) from being able to write a real share into the right storage index; speedbump: attacker adds his bogus share into the list of shares stored under the storage index by the same method; downloader has to download, examine, and discard the bogus (K1enc,Dhash,V)'s until it finds the real one
  1. undeletion: attacker makes a deleted file (for which it need not have had a read cap) accessible at its previous storage index, and readable by previous read caps

http://allmydata.org/pipermail/tahoe-dev/2009-October/002959.html