[removing Cc: tahoe-dev as this subthread is not about Tahoe-LAFS.
Of course, the subscribers to tahoe-dev would probably be interested
in this subthread, but that just goes to show that they ought to
subscribe to cryptogra...@metzdowd.com.]
On Monday,2009-08-10, at 11:56 , Jason Resch wrote:
I don't think there is any basis to the claims that Cleversafe
makes that their erasure-coding ("Information Dispersal")-based
system is fundamentally safer, e.g. these claims from : "a
malicious party cannot recreate data from a slice, or two, or
three, no matter what the advances in processing power." ...
"Maybe encryption alone is 'good enough' in some cases now - but
Dispersal is 'good always' and represents the future."
It is fundamentally safer in that even if the transformation key
were brute forced, the attacker only gains data from the slice,
which in general will have 1/threshold the data.
Okay, so the Cleversafe method of erasure-coding ciphertext and
storing the slices on different servers is "safer" in exactly the
same way that encrypting and then giving an attacker only a part of
the ciphertext is safer. That is: having less ciphertext might
hinder cryptanalysis a little, and also even if the attacker totally
wins and is able to decrypt the ciphertext, at least he'll only get
part of the plaintext that way. On the other hand I might consider
it scant comfort if I were told that "the good news is that the
attacker was able to read only the first 1/3 of each of your
But the Cleversafe method of appending the masked key to the last
slice makes it less safe, because having the masked key might help a
cryptanalyst quite a lot.
In any case, the claims that are made on the Cleversafe web site are
wrong and misleading: "a malicious party cannot recreate data from a
slice, or two, or three, no matter what the advances in processing
power" . It is easy for customers to believe this claim, because
an honest party who is following the normal protocol is limited in
this way and because information-theoretically-secure secret-sharing
schemes have this property. I kind of suspect that the Cleversafe
folks got confused at some point by the similarities between their
AONT+erasure-coding scheme and a secret-sharing scheme.
In any case, the statement quoted above is not true, and not only
that isolated statement, but also the entire thrust of the
"encryption isn't safe but Cleversafe's algorithm is safer" argument
. Just to pick out another of the numerous examples of misleading
and unjustified claims along these lines, here is another: "Given
that the level of security provided by the AONT can be set
arbitrarily high (there is no limit to the length of key it uses for
the transformation), information theoretic security is not necessary
as one can simply use a key so long that it could not be cracked
before the stars burn out." .
On the other hand Cleversafe's arguments about key management being
hard and about there being a trade-off between confidentiality and
availability are spot on: . Although I don't think that their
strategy for addressing the key management issues is the best
strategy, at least their description of the problem are correct.
Also, if you ignore the ill-justified claims about security on that
page, their explanation of the benefits of their approach is
correct. (Sorry if this comes off as smug -- I'm trying to be fair.)
(I'm not even going to address their third point  -- at least not
until we take this conversation to the law mailing list! :-))
Okay, I think I've made my opinion about these issues fairly clear
now, so I'll try to refrain from following-up to this subthread --
the "strong claims about encryption safety" subthread -- unless there
are some interesting new technical details that I haven't thought
of. By the way, when googling in the attempt to learn more
information about the Cleversafe algorithm, I happened to see that
Cleversafe is mentioned in this paper by Bellare and Rogaway: "Robust
Computational Secrete Sharing and a Unified Account of Classical
Secret-Sharing Goals" . I haven't read that paper yet, but given
the authors I would assume it is an excellent starting point for a
modern study of the cryptographic issues. :-)
I still do intend to follow-up on the subthread which I call "So how
do *you* do key management, then?", which I consider to be the most
important issue for practical security of systems like these.
Zooko, writing e-mail on his lunch break
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com