| | 76 | [http://allmydata.org/pipermail/tahoe-dev/2009-July/002350.html this tahoe-dev message] contains some clues: |
| | 77 | |
| | 78 | {{{ |
| | 79 | For immutable files, you have to encrypt+encode the file before you can |
| | 80 | get the secure hash that forms the root of the integrity check (because we |
| | 81 | want to validate the individual shares too). Since you must commit to the |
| | 82 | encryption keys before you get those bits, so you can't just derive the |
| | 83 | encryption keys from that hash. But you could combine that hash with some |
| | 84 | other secret, and hide the main encryption key by encrypting it with that |
| | 85 | secret, and then the bits of that secret would each provide C+Ir. I think |
| | 86 | this is closely related to Zooko's scheme. |
| | 87 | }}} |
| | 88 | |
| | 89 | I still can't reconstruct it, but here's one possibility: |
| | 90 | |
| | 91 | * pick a random readkey K1 (perhaps via CHK) |
| | 92 | * pick another random key K2 |
| | 93 | * use K1 to encrypt the data |
| | 94 | * encode the shares and compute the UEB hash, as usual |
| | 95 | * store AES(key=H(K2+UEBhash), data=K1) in the share: the encrypted readkey |
| | 96 | * readcap = K2 |
| | 97 | * storage-index = H(K2) |
| | 98 | * or storage-index = UEBhash |
| | 99 | |
| | 100 | If SI=H(K2), then the reader starts from readcap=K2, computes the SI, fetches |
| | 101 | the share, computes UEBhash, computes H(K2+UEBhash), decrypts K1, then |
| | 102 | compares the share hash trees against the UEB, decodes the shares, and uses |
| | 103 | K1 to decrypt them. The servers can't validate anything against the |
| | 104 | storage-index (because it is derived from the readcap, which is forbidden to |
| | 105 | them). And I'm pretty sure that Rose the readcap-holder can collude with a |
| | 106 | quorum of storage servers to change the contents of the file, since there's |
| | 107 | nothing in K2 that's dependent upon the actual shares. |
| | 108 | |
| | 109 | If SI=UEBhash, then you've got the integrity checking that you want, but |
| | 110 | there's no way for the readcap holder to find out what the storage-index is, |
| | 111 | so they can neither locate a share (to compute everything else) nor can they |
| | 112 | use the storage-index to validate anything. |
| | 113 | |
| | 114 | == Mutable readcap plus commitment == |
| | 115 | |
| | 116 | Another idea is to upload regular mutable files, create a readcap, and then |
| | 117 | augment the readcap with some number of I bits (basically the "R=roothash" in |
| | 118 | our current mutable-file layout, which corresponds to the UEB hash in our |
| | 119 | immutable layout). Having the the readcap would reduce the set of people who |
| | 120 | could modify your file down to the writecap holders; adding the I bits would |
| | 121 | reduce/remove their ability to modify it either. |
| | 122 | |
| | 123 | But I think this converges on the current CHK design once you make those |
| | 124 | non-modification guarantees equally strong. |
| | 125 | |
