On Thu, Apr 26, 2012 at 4:29 AM, Zooko Wilcox-O'Hearn <zo...@zooko.com> wrote: > Um, frankly I'm having a hard time understanding exactly why my > intuitions about this come out so differently for "data-at-rest" tools > like Tahoe-LAFS and ZFS than for "data-in-motion" tools like TLS. My > intuition is that secret-based integrity-checking is fine for the > traditional two-party, time-limited "session" encryption a la TLS, but > that hash-based integrity-checking is more robust and "pushes less of > the problem around" when there are more than two parties and when the
The main difference between data at rest and in motion is that you need random access to data at rest but not to date in motion (typically an octet stream). (Protocols like NFS fall into the category of data in motion, IMO, even though they provide random access to data at rest, because typically they use data in motion cryptographic protocols for their transport security.) > data is persistent. The intuitions of the ZFS crypto designers (Darren > Moffat and others including Nico Williams) seems to have been that > secret-based integrity-checking still had some use even in that > scenario. However, I don't remember precisely what ZFS settled on for > secure data integrity checking. [Just to set the record straight, Darren's teh ZFS crypto designer, and I (among others) only just consulted.] Darren describes his compromise solution here: https://blogs.oracle.com/darren/en_GB/entry/zfs_encryption_what_is_on " o Block pointer - The blkptr_t contains the MAC/AuthTag from AES-CCM or AES-GCM in the top 96 bits of the checksum field. The SHA256 checksum is truncated to provide this 96 bits of space. + The checksum for an encrypted block is always sha256-mac - The 96bit IV for the block is in dva[2] of the blkptr_t + This means that an encrypted block can have a maximum of 2 copies not 3 " IIRC we both (though again, I only consulted) felt strongly that we needed some way to authenticate the data. I would have been happy with a MAC of Merkle hash roots (of entire encrypted datasets, say, or per-file -- doesn't matter much). MACing Merkle hash roots has the nice property of being a relatively easy filesystem on-disk format element to add. Nico -- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
