Brian Warner wrote: > The CHK mechanism is considered secure if the effort the attacker must > expend to get your plaintext is sufficiently high (no better than random > guessing). [...] > > LIT filecaps have the same property, but not derived from cryptography, > because there is no ciphertext. The attacker gets nothing, and is asked > to distinguish between hypothetical ciphertexts. If you reveal to me > that you have a LIT file (perhaps indirectly, by asking my storage > server for a mutable-directory share but then not fetching any immutable > shares immediately afterwards), then I can probably assume that it's > shorter that 65 bytes, but that leaves nearly 2**(8*65) possibilities, > and I have no way to distinguish between them (I don't even have a > SHA256 hash to use as an oracle). Clearly the attacker has nothing to > work with, so they can't do better than random chance. (they don't even > get length with LITs).
Subtle point: they don't get the length because LIT files don't have write caps, so the potential weakness described in <http://allmydata.org/trac/tahoe-lafs/ticket/925>, which can reveal the length of a write cap, does not apply here. -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tahoe-dev mailing list tahoe-dev@allmydata.org http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
