fix formatting of superscripts; expand n/a
[Imported from Trac: page NewCaps/WhatCouldGoWrong, version 36]
davidsarah
parent
757fdba8b1
commit
42d2010fab
|
|
@ -4,25 +4,25 @@ This is about What Could Go Wrong with the "Elk Point 2" immutable file caps: <h
|
|||
| | | | | | | |
|
||||
|---|---|---|---|---|---|---|
|
||||
|#|*what bad thing could happen*|*how*|*who could do it*|*what could they target*|*what crypto property prevents it*|*how expensive to brute force* [5]footnote|
|
||||
|1|shape-shifter immutable file [1]footnote|collide read-cap (*R*,*T*)|creator of a file|their own file|the hash function's and cap format's collision resistance on the read-cap (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|2^(*r*+*t*)/2^|
|
||||
|2|unauthorized read|attack the encryption of *K1* with *R*|anyone|any one file|the security of the encryption scheme used for *K1*, and the secrecy of the read-key *R*|2^min(*r*,*k*).*p*|
|
||||
|3|forgery of immutable file|generate a matching read-cap (*R*,*T*) for someone else's file|anyone|any one file|the hash function's and cap format's second-preimage resistance on (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|2^*r*+*t*^.*p*/*N* [7]footnote|
|
||||
|4|roadblock or speedbump [2]footnote|generate (*K1enc*,*Dhash*,*V*) that hash to someone else's *T*, and copy their *S*|anyone [6]footnote|any one file|the hash function's and cap format's second-preimage resistance on *T*|2^*t*^.*p*/*N*|
|
||||
|5|unauthorized read|attack the encryption of the plaintext with *K1*|anyone|any one file|the security of the encryption scheme used for the plaintext, and the secrecy of the encryption key *K1*. The latter also depends on the security and seeding of the RNG that generated it.|2^*k*^.*p*|
|
||||
|1|shape-shifter immutable file [1]footnote|collide read-cap (*R*,*T*)|creator of a file|their own file|the hash function's and cap format's collision resistance on the read-cap (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|*p*.2^(*r*+*t*)/2^|
|
||||
|2|unauthorized read|attack the encryption of *K1* with *R*|anyone|any one file|the security of the encryption scheme used for *K1*, and the secrecy of the read-key *R*|*p*.2^min(*r*,*k*)^|
|
||||
|3|forgery of immutable file|generate a matching read-cap (*R*,*T*) for someone else's file|anyone|any one file|the hash function's and cap format's second-preimage resistance on (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|*p*/*N*.2^*r*+*t*^ [7]footnote|
|
||||
|4|roadblock or speedbump [2]footnote|generate (*K1enc*,*Dhash*,*V*) that hash to someone else's *T*, and copy their *S*|anyone [6]footnote|any one file|the hash function's and cap format's second-preimage resistance on *T*|*p*/*N*.2^*t*^|
|
||||
|5|unauthorized read|attack the encryption of the plaintext with *K1*|anyone|any one file|the security of the encryption scheme used for the plaintext, and the secrecy of the encryption key *K1*. The latter also depends on the security and seeding of the RNG that generated it.|*p*.2^*k*^|
|
||||
|6|unauthorized read|figure out the input to the hash function that generates *S*|anyone|any one file|the hash function's onewayness for (*R*,*T*) -> *S*|brute force on *R* is !#2|
|
||||
|7|unauthorized deletion|brute force KD|anyone|any one file|secrecy of *KD*|2^*d*^.*p*/*N*|
|
||||
|8|unauthorized deletion|figure out a working destroy key KD from Dhash|anyone|any one file|the hash function's preimage resistance on *Dhash*|2^min(*d*,*dh*)^.*p*/*N*|
|
||||
|9|denial of service|prevent access to servers holding sufficient shares (by controlling some of them, or by attacking them or the network)|anyone|any file|not prevented by crypto|n/a|
|
||||
|10|cause invalid share to verify|generate (*K1enc*,*Dhash*,*V*) that hash to someone else's (*T*,*U*), and copy their *S*|anyone|any one file|the hash function's second-preimage resistance on (*T*,*U*)|2^*t*+*u*^.*p*/*N* [7]footnote|
|
||||
|11|undeletion [3]footnote|restore a deleted file's shares by controlling the relevant servers|anyone|any one file|not prevented by crypto|n/a|
|
||||
|12|undeletion [3]footnote|generate matching (*R*,*T*,*U*) for a deleted file|anyone|any one file|the hash function's and cap format's second-preimage resistance on (*R*,*T*,*U*)|2^*r*+*t*+*u*^.*p*/*N* [7]footnote|
|
||||
|13|accidental collision|storage indices (*S1*,*T1*) and (*S2*,*T2*) collide accidentally|n/a|any two files|approximately random distribution of hash function outputs|[4]footnote|
|
||||
|7|unauthorized deletion|brute force KD|anyone|any one file|secrecy of *KD*|*p*/*N*.2^*d*^|
|
||||
|8|unauthorized deletion|figure out a working destroy key KD from Dhash|anyone|any one file|the hash function's preimage resistance on *Dhash*|*p*/*N*.2^min(*d*,*dh*)^|
|
||||
|9|denial of service|prevent access to servers holding sufficient shares (by controlling some of them, or by attacking them or the network)|anyone|any file|not prevented by crypto|not applicable|
|
||||
|10|cause invalid share to verify|generate (*K1enc*,*Dhash*,*V*) that hash to someone else's (*T*,*U*), and copy their *S*|anyone|any one file|the hash function's second-preimage resistance on (*T*,*U*)|*p*/*N*.2^*t*+*u*^ [7]footnote|
|
||||
|11|undeletion [3]footnote|restore a deleted file's shares by controlling the relevant servers|anyone|any one file|not prevented by crypto|not applicable|
|
||||
|12|undeletion [3]footnote|generate matching (*R*,*T*,*U*) for a deleted file|anyone|any one file|the hash function's and cap format's second-preimage resistance on (*R*,*T*,*U*)|*p*/*N*.2^*r*+*t*+*u*^ [7]footnote|
|
||||
|13|accidental collision|storage indices (*S1*,*T1*) and (*S2*,*T2*) collide accidentally|not applicable|any two files|approximately random distribution of hash function outputs|[4]footnote|
|
||||
|
||||
where *k* = bitlength(*K1*), *r* = bitlength(*R*), *s* = bitlength(*S*), *t* = bitlength(*T*), *u* = bitlength(*U*), *d* = bitlength(*KD*), *dh* = bitlength(*Dhash*).
|
||||
|
||||
(The notes to the diagram assume *k* == *r*.)
|
||||
|
||||
*p* <= 1 is the success probability of an attack. *N* is the number of targets for preimage attacks; this assumes that the attacker has stored the hashes for *N* files and is content with finding a preimage for any of them.
|
||||
*p* <= 1 is the success probability of an attack. *N* is the number of targets for preimage attacks; this assumes that the attacker has stored the relevant hashes for *N* files and is content with finding a preimage for any of them.
|
||||
|
||||
|
||||
1. *shape-shifter immutable file*: creator creates more than one file matching the immutable file readcap
|
||||
|
|
|
|||
Loading…
Reference in a new issue