Version 4 (modified by zooko, at 2007-10-16T21:05:26Z) (diff) |
---|
Security Considerations
This page exists so that there is one page to read to learn about the security guarantees that Tahoe is designed to provide, as well as about any current known issues that might have security consequences.
The following is not complete.
However, you can view a complete technical explanation of which this page is eventually intended to be a summary.
The Distributed Filesystem
Access Control
The Tahoe distributed filesystem is composed of files and directories.
Files
read access
Each file has a unique and unguessable identifier, called a "CHK-URI", which is derived from the file contents. Possession of this identifier is necessary and sufficient to download, reconstruct, decrypt, and verify the integrity of the file. If a person is not given the CHK-URI, then they cannot see the contents of the file.
mutation
Files in the Tahoe grid are immutable. If you upload a file to the grid, and then change part of it and upload it again, then there are now two files in the grid -- the old one and the new one -- and each has a distinct, unique, CHK-URI.
Traffic Analysis
To be filled in. Traffic analysis is subtle and powerful. For the moment, assume that if someone wants to, they can learn everything about your every act, including when were, and which file, by its unique identifier and its length except that they can't learn the actual contents of the files, except that if the file happens to be a file whose contents they already know then they can. Make sense? I'll come back later.