Opened at 2010-01-22T08:11:13Z
Last modified at 2021-03-30T18:40:19Z
#925 assigned defect
Information leak to holders of a directory read cap, about whether each dir entry is writeable and the length of its write cap — at Version 6
| Reported by: | davidsarah | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | soon |
| Component: | code-dirnodes | Version: | 1.5.0 |
| Keywords: | backward-compatibility privacy security | Cc: | zooko |
| Launchpad Bug: |
Description (last modified by davidsarah)
The encryption of the rw_uri of a dirnode with the writekey of its directory is done in CTR mode, and is length-preserving (excluding the added salt and MAC tag which are fixed-length). This leaks the length of the plaintext rw_uri to a holder of the directory read cap. This is a relatively minor information leak, but it does reveal whether the object pointed to by each dirnode entry would be writeable to someone with the directory write cap -- if not then the ciphertext excluding salt and MAC will be zero-length.
(The directory readcap holder necessarily knows whether or not the object pointed to by the dirnode entry is mutable -- but if it is, then they don't have any need to know whether it is writeable.)
Padding to a fixed length could solve this, but there would be a backward-compatibility problem, because the padding would break earlier storage clients who wouldn't be expecting it. Starting from Tahoe-LAFS 1.6, we have addressed that by making _unpack_contents strip spaces from the end of the decrypted rw_uri. That potentially allows some future version to pad the URI with spaces to a fixed length (breaking only clients of versions before 1.6).
Change History (6)
comment:1 Changed at 2010-01-22T18:05:41Z by davidsarah
- Keywords privacy added; confidentiality removed
comment:2 follow-up: ↓ 3 Changed at 2010-01-23T13:19:02Z by davidsarah
The patch for #833 now implements the 'strip spaces from the front and end of the decrypted rw_uri' suggestion, since that code needed to change anyway.
comment:3 in reply to: ↑ 2 Changed at 2010-01-27T20:37:14Z by davidsarah
Replying to davidsarah:
The patch for #833 now implements the 'strip spaces from the front and end of the decrypted rw_uri' suggestion, since that code needed to change anyway.
I'm going to change this to strip spaces only from the end. Stripping them from the front would have an unnecessarily confusing interaction with prefix checks.
comment:4 Changed at 2010-03-09T19:14:37Z by davidsarah
- Keywords forward-compatibility removed
- Milestone changed from undecided to 2.0.0
The forward-compatibility part of this issue is fixed -- 1.6.0 strips spaces from the end -- but we can't break backward-compatibility yet.
comment:5 Changed at 2010-04-08T02:10:37Z by davidsarah
- Keywords security added
- Summary changed from Information leak to holders of a directory read cap, about whether each dir entry is writeable to Information leak to holders of a directory read cap, about whether each dir entry is writeable and the length of its write cap
comment:6 Changed at 2010-04-08T02:13:08Z by davidsarah
- Description modified (diff)
Discloses only "information other than file contents."