wiki:Security

Version 4 (modified by zooko, at 2007-10-16T21:05:26Z) (diff)

test

Security Considerations

This page exists so that there is one page to read to learn about the security guarantees that Tahoe is designed to provide, as well as about any current known issues that might have security consequences.

The following is not complete.

However, you can view a complete technical explanation of which this page is eventually intended to be a summary.

The Distributed Filesystem

Access Control

The Tahoe distributed filesystem is composed of files and directories.

Files

read access

Each file has a unique and unguessable identifier, called a "CHK-URI", which is derived from the file contents. Possession of this identifier is necessary and sufficient to download, reconstruct, decrypt, and verify the integrity of the file. If a person is not given the CHK-URI, then they cannot see the contents of the file.

mutation

Files in the Tahoe grid are immutable. If you upload a file to the grid, and then change part of it and upload it again, then there are now two files in the grid -- the old one and the new one -- and each has a distinct, unique, CHK-URI.

Traffic Analysis

To be filled in. Traffic analysis is subtle and powerful. For the moment, assume that if someone wants to, they can learn everything about your every act, including when were, and which file, by its unique identifier and its length except that they can't learn the actual contents of the files, except that if the file happens to be a file whose contents they already know then they can. Make sense? I'll come back later.