Version 7 (modified by davidsarah, at 2009-10-11T01:18:11Z) (diff) |
---|
This is about What Could Go Wrong with the "Elk Point 2" immutable file caps: http://jacaranda.org/tahoe/immutable-elkpoint-2.svg
# | what bad thing could happen | how | who could do it | what could they target | what crypto property prevents it | how expensive to brute force |
1 | shape-shifter immutable file [footnote 1] | collide read-cap (R,T) | creator of a file | their own file | the hash function's and cap format's collision resistance on the read-cap (R,T). This also depends on the encryption of K1 being deterministic and correct. | 2(n+t)/2 |
2 | unauthorized read | attack the encryption of K1 with R | anyone | any one file | the cipher's security and the secrecy of the read-key R | 2n |
3 | forgery of immutable file | generate a matching read-cap (R,T) for someone else's file | anyone | any one file | the hash function's and cap format's second-pre-image resistance on (R,T) | 2n+t |
4 | roadblock or speedbump [footnote 2] | generate (K1enc,Dhash,V) that hash to someone else's T, and copy their S | anyone | any one file | the hash function's and cap format's collision resistance on T | 2t |
5 | unauthorized read | attack the encryption of the plaintext with K1 | anyone | any one file | the cipher's security and the secrecy of the encryption key K1 | 2k |
6 | unauthorized read | figure out the input to the hash function that generates S | anyone | any one file | the hash function's pre-image resistance on S | brute force on R is #2 |
7 | unauthorized deletion | brute force KD | anyone | any one file | secrecy of KD | 2d |
8 | unauthorized deletion | figure out the destroy key KD from Dhash | anyone | any one file | the hash function's pre-image resistance on Dhash | brute force on KD is #7 |
9 | denial of service | prevent access to servers holding sufficient shares (by controlling some of them, or by attacking them) | anyone | any file | not prevented by crypto | n/a |
10 | cause invalid share to verify | generate (K1enc,Dhash,V) that hash to someone else's (T,U), and copy their S | anyone | any one file | the hash function's second-pre-image resistance on (T,U) | 2t+u |
11 | undeletion | undelete a file (making it readable by existing read caps) by restoring its shares | anyone | any one file | assuming a "tombstone" is present on all relevant servers: same as #10 | 2t+u |
where k = bitlength(K1), n = bitlength(R), t = bitlength(T), u = bitlength(U), d = bitlength(KD).
- shape-shifter immutable file: creator creates more than one file matching the immutable file readcap
- roadblock: attacker prevents uploader (including repairer) from being able to write a real share into the right storage index; speedbump: attacker adds his bogus share into the list of shares stored under the storage index by the same method; downloader has to download, examine, and discard the bogus (K1enc,Dhash,V)'s until it finds the real one
http://allmydata.org/pipermail/tahoe-dev/2009-October/002959.html