[dropped tahoe-dev from Cc:]
On Thursday,2009-08-06, at 17:08 , james hughes wrote:
Until you reach the threshold, you do not have the information to
attack. It becomes information theoretic secure.
This is true for information-theoretically secure secret sharing, but
not true for Cleversafe's technique of composing an All-Or-Nothing-
Transform with Reed-Solomon erasure coding.
CleverSafe can not provide any security guarantees unless these
questions can be answered. Without answers, CleverSafe is neither
Clever nor Safe.
Hey, let's be nice. Cleversafe has implemented a storage system
which integrates encryption in the attempt to make it safer. They
GPL at least some of their work [*], and they publish their ideas and
engage in discussion about them. These are all good things. My
remaining disagreements with them are like this:
1. (The important one.) I don't think the access control policy of
"whoever can access at least K of the N volumes of data" is the
access control policy that I want. For one thing, it immediately
leads to the questions that James Hughes was asking, about who is
authorized to access what servers. For another thing, I would really
like my access control policy to be fine-grained, flexible, and
dynamic. So for example, I'd like to be able to give you access two
three of my files but not all my other files, and I'd like you to
then be able to give your friend access to two of those files but not
the third. See Brian Warner's and Jason Resch's discussion of these
issues: [1, 2].
2. Cleversafe seems to think that their scheme gives better-than-
computational security, i.e. that it guarantees security even if
AES-256 is crackable. This is wrong, but it is an easy mistake to
make! Both Ben Laurie and James Hughes have jumped to the conclusion
(in this thread) that the Cleversafe K-out-of-N encoding has the same
information-theoretic security that secret-sharing K-out-of-N
3. Cleversafe should really tone down the Fear Uncertainty and Doubt
about today's encryption being mincemeat for tomorrow's
cryptanalysts. It might turn out to be true, but if so it will be
due to cryptanalytic innovations more than due to Moore's Law. And
it might not turn out like that -- perhaps AES-256 will remain safe
for centuries. Also, Cleversafe's product is not more secure than
any other product against this threat.
It is hard to explain to non-cryptographers how much they can rely on
the security of cryptographic schemes. It's very complicated, and
most schemes deployed have failed due to flaws in the surrounding
system, engineering errors or key management (i.e. access control)
problems. Nobody knows what cryptanalytic techniques will be
invented in the future. My opinion is that relying on well-
engineered strong encryption to protect your data is at least as safe
alternatives such as keeping the data on your home computer or on
your corporate server. The Cleversafe FUD doesn't help people
understand the issues better.
[*] Somebody stated on a mailing list somewhere that Cleversafe has
applied for patents. Therefore, if you want to use their work under
the terms of the GPL, you should also be aware that if their patents
are granted then some of what you do may be subject to the patents.
Of course, this is always true of any software (the techniques might
be patented), but I thought it was worth mentioning since in this
case the company authoring the software is also the company applying
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com