tahoe-lafs/trac-2024-07-25
2
0
Issues 1.1k Wiki Activity

add footnote 6 

[Imported from Trac: page NewCaps/WhatCouldGoWrong, version 25]
davidsarah 2009-10-11 03:34:38 +00:00
parent 977aab1aa9
commit 3bdfb6fdde
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
NewCaps/WhatCouldGoWrong.md

@ -6,7 +6,7 @@ This is about What Could Go Wrong with the "Elk Point 2" immutable file caps: <h
|1|shape-shifter immutable file [1]footnote|collide read-cap (*R*,*T*)|creator of a file|their own file|the hash function's and cap format's collision resistance on the read-cap (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|2^(*n*+*t*)/2^| |1|shape-shifter immutable file [1]footnote|collide read-cap (*R*,*T*)|creator of a file|their own file|the hash function's and cap format's collision resistance on the read-cap (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|2^(*n*+*t*)/2^|
|2|unauthorized read|attack the encryption of *K1* with *R*|anyone|any one file|the security of the encryption scheme used for *K1*, and the secrecy of the read-key *R*|2^min(*n*,*k*)^| |2|unauthorized read|attack the encryption of *K1* with *R*|anyone|any one file|the security of the encryption scheme used for *K1*, and the secrecy of the read-key *R*|2^min(*n*,*k*)^|
|3|forgery of immutable file|generate a matching read-cap (*R*,*T*) for someone else's file|anyone|any one file|the hash function's and cap format's second-preimage resistance on (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|2^*n*+*t*^| |3|forgery of immutable file|generate a matching read-cap (*R*,*T*) for someone else's file|anyone|any one file|the hash function's and cap format's second-preimage resistance on (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|2^*n*+*t*^|
|4|roadblock or speedbump [2]footnote|generate (*K1enc*,*Dhash*,*V*) that hash to someone else's *T*, and copy their *S*|anyone|any one file|the hash function's and cap format's second-preimage resistance on *T*|2^*t*^| |4|roadblock or speedbump [2]footnote|generate (*K1enc*,*Dhash*,*V*) that hash to someone else's *T*, and copy their *S*|anyone [6]footnote|any one file|the hash function's and cap format's second-preimage resistance on *T*|2^*t*^|
|5|unauthorized read|attack the encryption of the plaintext with *K1*|anyone|any one file|the security of the encryption scheme used for the plaintext, and the secrecy of the encryption key *K1*. The latter also depends on the security and seeding of the RNG that generated it.|2^*k*^| |5|unauthorized read|attack the encryption of the plaintext with *K1*|anyone|any one file|the security of the encryption scheme used for the plaintext, and the secrecy of the encryption key *K1*. The latter also depends on the security and seeding of the RNG that generated it.|2^*k*^|
|6|unauthorized read|figure out the input to the hash function that generates *S*|anyone|any one file|the hash function's onewayness for (*R*,*T*) -> *S*|brute force on *R* is !#2| |6|unauthorized read|figure out the input to the hash function that generates *S*|anyone|any one file|the hash function's onewayness for (*R*,*T*) -> *S*|brute force on *R* is !#2|
|7|unauthorized deletion|brute force KD|anyone|any one file|secrecy of *KD*|2^*d*^| |7|unauthorized deletion|brute force KD|anyone|any one file|secrecy of *KD*|2^*d*^|
@ -29,5 +29,7 @@ where *k* = bitlength(*K1*), *n* = bitlength(*R*), *s* = bitlength(*S*), *t* = b
5. Brute force costs assume a single-target attack that is expected to succeed with high probability. Costs will be lower for attacking multiple targets or for a lower success probability. (Should we give explicit formulae for this?) 5. Brute force costs assume a single-target attack that is expected to succeed with high probability. Costs will be lower for attacking multiple targets or for a lower success probability. (Should we give explicit formulae for this?)
6. *roadblock*/*speedbump* attacks could be restricted to holders of a read cap by use of an extra signature, as in the Elk Point 3 design (diagram at <http://jacaranda.org/tahoe/mutable-addonly-elkpoint-3.svg> for mutable files).
<http://allmydata.org/pipermail/tahoe-dev/2009-October/002959.html> <http://allmydata.org/pipermail/tahoe-dev/2009-October/002959.html>