[119072] in cryptography@c2.net mail archive
Re: [p2p-hackers] convergent encryption reconsidered
daemon@ATHENA.MIT.EDU (Leichter, Jerry)
Sun Mar 30 15:52:34 2008
Date: Sun, 30 Mar 2008 15:12:01 -0400 (EDT)
From: "Leichter, Jerry" <leichter_jerrold@emc.com>
To: =?UTF-8?Q?Ivan_Krsti=C4=87?= <krstic@solarsail.hcs.harvard.edu>
cc: theory and practice of decentralized computer networks <p2p-hackers@lists.zooko.com>,
tahoe-dev@allmydata.org, Cryptography <cryptography@metzdowd.com>
In-Reply-To: <A9DE43CA-7AE1-4963-875F-5080D851CAC5@solarsail.hcs.harvard.edu>
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
---559023410-851401618-1206904321=:1801
Content-Type: TEXT/PLAIN; charset=UTF-8
Content-Transfer-Encoding: 8BIT
| > They extended the confirmation-of-a-file attack into the
| > learn-partial-information attack. In this new attack, the
| > attacker learns some information from the file. This is done by
| > trying possible values for unknown parts of a file and then
| > checking whether the result matches the observed ciphertext.
|
| How is this conceptually different from classic dictionary attacks,
| and why does e.g. running the file through PBKDF2 and using the result
| for convergence not address your concern(s)?
How would that help?
Both the ability of convergent encryption to eliminate duplicates,
and this attack, depend on there being a deterministic algorithm
that computes a key from the file contents. Sure, if you use a
different salt for each file, the attack goes away - but so does
the de-duplication. If you don't care about de-duplication, there
are simpler, cheaper ways to choose a key.
-- Jerry
| --
| Ivan Krsti? <krstic@solarsail.hcs.harvard.edu> | http://radian.org
|
| ---------------------------------------------------------------------
| The Cryptography Mailing List
| Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
|
|
---559023410-851401618-1206904321=:1801--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
