wiki:NewCaps/WhatCouldGoWrong

Version 6 (modified by davidsarah, at 2009-10-11T01:01:22Z) (diff)

add denial-of-service

This is about What Could Go Wrong with the "Elk Point 2" immutable file caps: http://jacaranda.org/tahoe/immutable-elkpoint-2.svg

#what bad thing could happenhowwho could do itwhat could they targetwhat crypto property prevents ithow expensive to brute force
1shape-shifter immutable file [footnote 1]collide read-cap (R,T)creator of a filetheir own filethe hash function's and cap format's collision resistance on the read-cap (R,T). This also depends on the encryption of K1 being deterministic and correct.2(n+t)/2
2unauthorized readattack the encryption of K1 with Ranyoneany one filethe cipher's security and the secrecy of the read-key R2n
3forgery of immutable filegenerate a matching read-cap (R,T) for someone else's fileanyoneany one filethe hash function's and cap format's second-pre-image resistance on (R,T)2n+t
4roadblock or speedbump [footnote 2]generate (K1enc,Dhash,V) that hash to someone else's T, and copy their Sanyoneany one filethe hash function's and cap format's collision resistance on T2t
5unauthorized readattack the encryption of the plaintext with K1anyoneany one filethe cipher's security and the secrecy of the encryption key K12k
6unauthorized readfigure out the input to the hash function that generates Sanyoneany one filethe hash function's pre-image resistance on Sbrute force on R is #2
7unauthorized deletionbrute force KDanyoneany one filesecrecy of KD2d
8unauthorized deletionfigure out the destroy key KD from Dhashanyoneany one filethe hash function's pre-image resistance on Dhashbrute force on KD is #7
9denial of serviceprevent access to servers holding sufficient shares (by controlling some of them, or by attacking them)anyoneany filenot prevented by crypton/a

where k = bitlength(K1), n = bitlength(R), t = bitlength(T), d = bitlength(KD).

  1. shape-shifter immutable file: creator creates more than one file matching the immutable file readcap
  2. roadblock: attacker prevents uploader (including repairer) from being able to write a real share into the right storage index; speedbump: attacker adds his bogus share into the list of shares stored under the storage index by the same method; downloader has to download, examine, and discard the bogus (K1enc,Dhash,V)'s until it finds the real one

http://allmydata.org/pipermail/tahoe-dev/2009-October/002959.html