james hughes wrote:
>
> On Aug 6, 2009, at 1:52 AM, Ben Laurie wrote:
>
> > Zooko Wilcox-O'Hearn wrote:
> >> I don't think there is any basis to the claims that Cleversafe makes
> >> that their erasure-coding ("Information Dispersal")-based system is
> >> fundamentally safer, e.g. these claims from [3]: "a malicious party
> >> cannot recreate data from a slice, or two, or three, no matter what 
> >> the
> >> advances in processing power." ... "Maybe encryption alone is 'good
> >> enough' in some cases now  - but Dispersal is 'good always' and
> >> represents the future."
> >
> > Surely this is fundamental to threshold secret sharing - until you 
> > reach
> > the threshold, you have not reduced the cost of an attack?
>
> Until you reach the threshold, you do not have the information to 
> attack. It becomes information theoretic secure.

With a secret sharing scheme such as Shamir's you have information theoretic 
security.  With the All-or-Nothing Transform and dispersal the distinction is 
there is only computational security.  The practical difference is that though 
2^-256 is very close to 0, it is not 0, so the possibility remains that with 
sufficient computational power useful data could be obtained with less than a 
threshold number of slices.  The difficulty of this is as hard as breaking the 
symmetric cipher used in the transformation.

>
>
> They are correct, if you lose a "slice, or two, or three" that's fine, 
> but once you have the threshold number, then you have it all. This 
> means that you must still defend the site from attackers, protect your 
> media from loss, ensure your admins are trusted. As such, you have 
> accomplished nothing to make the management of the data easier.

Is there any data storage system which does not require some protection against 
attackers, resiliency to media failure, and trusted administrators?  Even in a 
systems where one encrypts the data and focuses all energy on keeping the key 
safe, the encrypted copies must still be protected for availability and 
reliability reasons.

The security provided by this approach is only the icing on the cake to the 
other benefits of dispersal.  Dispersal provides extremely high fault tolerance 
and reliability without the large storage requirements of making copies.  See 
this paper "Erasure Coding vs. Replication: A Quantitative Comparison" by the 
creators of OceanStore for a primer on some of the advantages: 
http://www.cs.rice.edu/Conferences/IPTPS02/170.pdf

>
> Assume your threshold is 5. You lost 5 disks... Whose information was 
> lost? Anyone? Do you know?

If a particular "vault" (Our term for a logical grouping of data on which 
access controls may be applied) had data stored on on a threshold number of 
compromised drives, then data in that vault would be considered compromised.  
Our systems tracks which vaults have data on which machines through a global 
set of configuration information we call the Registry.

> What if the 5 drives were lost over 5 
> years, what then?

When drives or machines are known to be lost or compromised one may perform a 
read and overwrite of the peer-slices.  This makes obsolete any slices 
attackers may have accumulated up until that point.  This is due to the fact 
that the AONT is a random transformation, and newly generated slices cannot be 
used with old ones to re-create data.  Therefore this protocol protects against 
slow accumulation of a threshold number of slices over time.

> CleverSafe can not provide any security guarantees 
> unless these questions can be answered. Without answers, CleverSafe is 
> neither Clever nor Safe.
>
> Jim
>
>

Please let me know if you have any additional questions regarding our 
technology.

Best Regards,

Jason Resch

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to