tahoe-lafs/trac-2024-07-25
2
0
Issues 1.1k Wiki Activity

take into account multi-target attacks against encryption 

[Imported from Trac: page NewCaps/WhatCouldGoWrong, version 56]
davidsarah 2011-02-22 05:27:49 +00:00
parent f850187530
commit d47a0c51d1
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
NewCaps/WhatCouldGoWrong.md

@ -7,10 +7,10 @@ This is about What Could Go Wrong with the "Elk Point 2" immutable file caps: <h
|---|---|---|---|---|---|---|
|#|*what bad thing could happen*|*how*|*who could do it*|*what could they target*|*what crypto property prevents it*|*how expensive to brute force* [9]footnote|
|1|shape-shifter immutable file [1]footnote|collide read-cap (*R*,*T*)|creator of a file|their own file|the hash function's and cap format's collision resistance on the read-cap (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct, and on the suitability of hash_*r* as a KDF (key derivation function).|approx sqrt(2.*p*).2^(*r*+*t*)/2^ [7,8]footnotes|
|2|unauthorized read|attack the encryption of *K1* with *R*|anyone|any one file|the security of the encryption scheme used for *K1*, the secrecy of the read-key *R*, and the suitability of hash_*r* as a KDF.|*p*.2^min(*r*,*k*)^|
|2|unauthorized read|attack the encryption of *K1* with *R*|anyone|any one file|the security of the encryption scheme used for *K1*, the secrecy of the read-key *R*, and the suitability of hash_*r* as a KDF.|(*p*/*N*).2^min(*r*,*k*)^|
|3|forgery of immutable file|generate a matching read-cap (*R*,*T*) for someone else's file|anyone|any one file|the hash function's and cap format's second-preimage resistance on (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct, and on the suitability of hash_*r* as a KDF.|(*p*/*N*).2^*r*+*t*^ [5,8]footnotes|
|4|roadblock or speedbump [2]footnote|generate (*EncK1*,*Dhash*,*V*) that hash to someone else's *T*, and copy their *S*|anyone [6]footnote|any one file|the hash function's and cap format's second-preimage resistance on *T*|(*p*/*N*).2^*t*^|
|5|unauthorized read|attack the encryption of the plaintext with *K1*|anyone|any one file|the security of the encryption scheme used for the plaintext, and the secrecy of the encryption key *K1*. The latter also depends on the security and seeding of the RNG that generated it, and on resistance to attack !#2.|*p*.2^*k*^|
|5|unauthorized read|attack the encryption of the plaintext with *K1*|anyone|any one file|the security of the encryption scheme used for the plaintext, and the secrecy of the encryption key *K1*. The latter also depends on the security and seeding of the RNG that generated it, and on resistance to attack !#2.|(*p*/*N*).2^*k*^|
|6|unauthorized read|figure out the input to the hash function that generates *S*|anyone|any one file|the hash function's onewayness for (*R*,*T*) -> *S*|brute force on *R* is !#2|
|7|unauthorized deletion|figure out a working destroy-key *KD* for a given *Dhash*|anyone|any one file|the hash function's preimage resistance on *Dhash* and the secrecy of *KD*|(*p*/*N*).2^min(*d*,*dh*)^|
|8|accidental collision|storage indices (*S1*,*T1*) and (*S2*,*T2*) collide accidentally|not applicable|any two files|approximately random distribution of hash function outputs|[4]footnote|