[144710] in cryptography@c2.net mail archive
RE: [tahoe-dev] cleversafe says: 3 Reasons Why Encryption isOverrated
daemon@ATHENA.MIT.EDU (Jason Resch)
Tue Aug 11 10:36:40 2009
Date: Mon, 10 Aug 2009 11:20:05 -0500
In-Reply-To: <71B130F1-EA52-4455-A3BA-C205C1CB1937@mac.com>
From: "Jason Resch" <jresch@cleversafe.com>
To: <tahoe-dev@allmydata.org>
Cc: "Cryptography List" <cryptography@metzdowd.com>
james hughes wrote:
>
> On Aug 6, 2009, at 1:52 AM, Ben Laurie wrote:
>
> > Zooko Wilcox-O'Hearn wrote:
> >> I don't think there is any basis to the claims that Cleversafe =
makes
> >> that their erasure-coding ("Information Dispersal")-based system is
> >> fundamentally safer, e.g. these claims from [3]: "a malicious party
> >> cannot recreate data from a slice, or two, or three, no matter what =
> >> the
> >> advances in processing power." ... "Maybe encryption alone is 'good
> >> enough' in some cases now - but Dispersal is 'good always' and
> >> represents the future."
> >
> > Surely this is fundamental to threshold secret sharing - until you=20
> > reach
> > the threshold, you have not reduced the cost of an attack?
>
> Until you reach the threshold, you do not have the information to=20
> attack. It becomes information theoretic secure.
With a secret sharing scheme such as Shamir's you have information =
theoretic security. With the All-or-Nothing Transform and dispersal the =
distinction is there is only computational security. The practical =
difference is that though 2^-256 is very close to 0, it is not 0, so the =
possibility remains that with sufficient computational power useful data =
could be obtained with less than a threshold number of slices. The =
difficulty of this is as hard as breaking the symmetric cipher used in =
the transformation.
>
>
> They are correct, if you lose a "slice, or two, or three" that's fine, =
> but once you have the threshold number, then you have it all. This=20
> means that you must still defend the site from attackers, protect your =
> media from loss, ensure your admins are trusted. As such, you have=20
> accomplished nothing to make the management of the data easier.
Is there any data storage system which does not require some protection =
against attackers, resiliency to media failure, and trusted =
administrators? Even in a systems where one encrypts the data and =
focuses all energy on keeping the key safe, the encrypted copies must =
still be protected for availability and reliability reasons.
The security provided by this approach is only the icing on the cake to =
the other benefits of dispersal. Dispersal provides extremely high =
fault tolerance and reliability without the large storage requirements =
of making copies. See this paper "Erasure Coding vs. Replication: A =
Quantitative Comparison" by the creators of OceanStore for a primer on =
some of the advantages: =
http://www.cs.rice.edu/Conferences/IPTPS02/170.pdf
>
> Assume your threshold is 5. You lost 5 disks... Whose information was=20
> lost? Anyone? Do you know?
If a particular "vault" (Our term for a logical grouping of data on =
which access controls may be applied) had data stored on on a threshold =
number of compromised drives, then data in that vault would be =
considered compromised. Our systems tracks which vaults have data on =
which machines through a global set of configuration information we call =
the Registry.
> What if the 5 drives were lost over 5=20
> years, what then?
When drives or machines are known to be lost or compromised one may =
perform a read and overwrite of the peer-slices. This makes obsolete =
any slices attackers may have accumulated up until that point. This is =
due to the fact that the AONT is a random transformation, and newly =
generated slices cannot be used with old ones to re-create data. =
Therefore this protocol protects against slow accumulation of a =
threshold number of slices over time.
> CleverSafe can not provide any security guarantees=20
> unless these questions can be answered. Without answers, CleverSafe is =
> neither Clever nor Safe.
>
> Jim
>
>
Please let me know if you have any additional questions regarding our =
technology.
Best Regards,
Jason Resch
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
