tahoe-lafs/trac-2024-07-25
2
0
Issues 1.1k Wiki Activity

accidental collision; footnote 5 

[Imported from Trac: page NewCaps/WhatCouldGoWrong, version 12]
davidsarah 2009-10-11 01:54:32 +00:00
parent cddf9bb347
commit c69799fa92
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
NewCaps/WhatCouldGoWrong.md

@ -2,7 +2,7 @@ This is about What Could Go Wrong with the "Elk Point 2" immutable file caps: <h
| | | | | | | |
|---|---|---|---|---|---|---|
|#|*what bad thing could happen*|*how*|*who could do it*|*what could they target*|*what crypto property prevents it*|*how expensive to brute force*|
|#|*what bad thing could happen*|*how*|*who could do it*|*what could they target*|*what crypto property prevents it*|*how expensive to brute force* [5]footnote|
|1|shape-shifter immutable file [1]footnote|collide read-cap (*R*,*T*)|creator of a file|their own file|the hash function's and cap format's collision resistance on the read-cap (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|2^(*n*+*t*)/2^|
|2|unauthorized read|attack the encryption of *K1* with *R*|anyone|any one file|the cipher's security and the secrecy of the read-key *R*|2^*n*^|
|3|forgery of immutable file|generate a matching read-cap (*R*,*T*) for someone else's file|anyone|any one file|the hash function's and cap format's second-pre-image resistance on (*R*,*T*)|2^*n*+*t*^|
@ -15,6 +15,7 @@ This is about What Could Go Wrong with the "Elk Point 2" immutable file caps: <h
|10|cause invalid share to verify|generate (*K1enc*,*Dhash*,*V*) that hash to someone else's (*T*,*U*), and copy their *S*|anyone|any one file|the hash function's second-pre-image resistance on (*T*,*U*)|2^*t*+*u*^|
|11|undeletion [3]footnote|restore a deleted file's shares by controlling the relevant servers|anyone|any one file|not prevented by crypto|n/a|
|12|undeletion [3]footnote|generate matching (*R*,*T*,*U*) for a deleted file|anyone|any one file|the hash function's and cap format's second-pre-image resistance on (*R*,*T*,*U*)|2^*n*+*t*+*u*^|
|13|accidental collision|storage indices (*S1*,*T1*) and (*S2*,*T2*) collide accidentally|n/a|any two files|approximately random distribution of hash function outputs|[4]footnote|
where *k* = bitlength(*K1*), *n* = bitlength(*R*), *t* = bitlength(*T*), *u* = bitlength(*U*), *d* = bitlength(*KD*).
@ -24,4 +25,9 @@ where *k* = bitlength(*K1*), *n* = bitlength(*R*), *t* = bitlength(*T*), *u* = b
3. *undeletion*: attacker makes a deleted file (for which it need not have had a read cap) accessible at its previous storage index, and readable by previous read caps
4. See the probability table at <http://en.wikipedia.org/wiki/Birthday_Paradox> .
5. Brute force costs assume a single-target attack that is expected to succeed with high probability. Costs will be lower for attacking multiple targets or for a lower success probability. (Should we give give explicit formulae for this?)
<http://allmydata.org/pipermail/tahoe-dev/2009-October/002959.html>