tahoe-lafs/trac-2024-07-25
2
0
Issues 1.1k Wiki Activity

fix undeletion attacks 

[Imported from Trac: page NewCaps/WhatCouldGoWrong, version 8]
davidsarah 2009-10-11 01:34:51 +00:00
parent e541673fba
commit d5eb2978e0
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
NewCaps/WhatCouldGoWrong.md

@ -13,11 +13,13 @@ This is about What Could Go Wrong with the "Elk Point 2" immutable file caps: <h
|8|unauthorized deletion|figure out the destroy key KD from Dhash|anyone|any one file|the hash function's pre-image resistance on *Dhash*|brute force on *KD* is !#7|
|9|denial of service|prevent access to servers holding sufficient shares (by controlling some of them, or by attacking them)|anyone|any file|not prevented by crypto|n/a|
|10|cause invalid share to verify|generate (*K1enc*,*Dhash*,*V*) that hash to someone else's (*T*,*U*), and copy their *S*|anyone|any one file|the hash function's second-pre-image resistance on (*T*,*U*)|2^*t*+*u*^|
|11|undeletion|undelete a file (making it readable by existing read caps) by restoring its shares|anyone|any one file|assuming a "tombstone" is present on all relevant servers: same as !#10|2^*t*+*u*^|
|11|undeletion [3]footnote|restore the file's shares by controlling the relevant servers|anyone|any one file|not prevented by crypto|n/a|
|12|undeletion [3]footnote|generate matching (*R*,*T*,*U*) for a deleted file|anyone|any one file|the hash function's and cap format's second-pre-image resistance on (*R*,*T*,*U*)|2^*n*+*t*+*u*^|
where *k* = bitlength(*K1*), *n* = bitlength(*R*), *t* = bitlength(*T*), *u* = bitlength(*U*), *d* = bitlength(*KD*).
1. *shape-shifter immutable file*: creator creates more than one file matching the immutable file readcap
2. *roadblock*: attacker prevents uploader (including repairer) from being able to write a real share into the right storage index; *speedbump*: attacker adds his bogus share into the list of shares stored under the storage index by the same method; downloader has to download, examine, and discard the bogus (*K1enc*,*Dhash*,*V*)'s until it finds the real one
3. *undeletion*: attacker makes a deleted file (for which it need not have had a read cap) accessible at its previous storage index, and readable by previous read caps
<http://allmydata.org/pipermail/tahoe-dev/2009-October/002959.html>