Re: cleversafe says: 3 Reasons Why Encryption is Overrated

2009-08-05 Thread Zooko Wilcox-O'Hearn

[cross-posted to and]


It doesn't look like I'm going to get time to write a long post about  
this bundle of issues, comparing Cleversafe with Tahoe-LAFS (both use  
erasure coding and encryption, and the encryption and key-management  
part differs), and arguing against the ill-advised Fear, Uncertainty,  
and Doubt that the Cleversafe folks have posted.  So, I'm going to  
try to throw out a few short pieces which hopefully each make sense.

First, the most important issue in all of this is the one that my  
programming partner Brian Warner already thoroughly addressed in [1]  
(see also the reply by Jason Resch [2]).  That is the issue of access  
control, which is intertwined with the issues of key management.  The  
other issues are cryptographic details which are important to get  
right, but the access control and key management issues are the ones  
that directly impact every user and that make or break the security  
and usefulness of the system.

Second, the Cleversafe documents seem to indicate that the security  
of their system does not rely on encryption, but it does.  The data  
in Cleversafe is encrypted with AES-256 before being erasure-coded  
and each share stored on a different server (exactly the same as in  
Tahoe-LAFS).  If AES-256 is crackable, then a storage server can  
learn information about the file (exactly as in Tahoe-LAFS).  The  
difference is that Cleversafe also stores the decryption key on the  
storage servers, encoded in such a way that  any K of the storage  
servers must cooperate to recover it.  In contrast, Tahoe-LAFS  
manages the decryption key separately.  This added step of including  
a secret-shared copy of the decryption key on the storage servers  
does not make the data less vulnerable to weaknesses in AES-256, as  
their documents claim.  (If anything, it makes it more vulnerable,  
but probably it has no effect and it is just as vulnerable to  
weaknesses in AES-256 as Tahoe-LAFS is.)

Third, I don't understand why Cleversafe documents claim that public  
key cryptosystems whose security is based on math are more likely  
to fall to future advances in cryptanalysis.  I think most  
cryptographers have the opposite belief -- that encryption based on  
bit-twiddling such as block ciphers or stream ciphers is much more  
likely to fall to future cryptanalysis.  Certainly the history of  
modern cryptography seems to fit with this -- of the original crop of  
public key cryptosystems founded on a math problem, some are still  
regarded as secure today (RSA, DH, McEliece), but there has been a  
long succession of symmetric crypto primitives based on bit twiddling  
which have then turned out to be insecure.  (Including, ominously  
enough, AES-256, which was regarded as a gold standard until a few  
months ago.)

Fourth, it seems like the same access control/key management model  
that Cleversafe currently offers could be achieved by encrypting the  
data with a random AES key and then using secret sharing to split the  
key and store on share of the key with each server.  I *think* that  
this would have the same cryptographic properties as the current  
Cleversafe approach of using an All-Or-Nothing-Transform followed by  
erasure coding.  Both would qualify as computation secret sharing  
schemes as opposed to information-theoretic secret sharing  
schemes.  I would be curious if there are any significant differences  
between these two constructions.

I don't think there is any basis to the claims that Cleversafe makes  
that their erasure-coding (Information Dispersal)-based system is  
fundamentally safer, e.g. these claims from [3]: a malicious party  
cannot recreate data from a slice, or two, or three, no matter what  
the advances in processing power. ... Maybe encryption alone is  
'good enough' in some cases now  - but Dispersal is 'good always' and  
represents the future.

Fifth, as I've already mentioned, the emphasis on cryptography being  
defeated due to advances in processing power e.g. reference to  
Moore's Law is confused.  Advances in processing power would not be  
sufficient to crack modern cryptosystems and in many cases would not  
be necessary either.

Okay I think that's it.  I hope these notes are not so terse as to be  
confusing or inflammatory.


Zooko Wilcox-O'Hearn


The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

ANNOUNCE: New book on software protection

2009-08-05 Thread Christian Collberg
Dear all,

Our new book Surreptitious Software: Obfuscation, Watermarking,
and Tamperproofing for Software Protection was just released.
It is published in Addison-Wesley's Software Security Series
edited by Gary McGraw:

The book covers, among other things, these topics:
    * Understanding the theoretical limits of code obfuscation
    * Detecting software tampering in distributed system
    * Mastering techniques that both attackers and defenders use to
  analyze programs
    * Using code obfuscation to make software harder to analyze and
    * Fingerprinting software to identify its author and to trace
  software pirates
    * Tamperproofing software using guards that detect and respond to
  illegal modifications of code and data
    * Strengthening content protection through dynamic watermarking
  and dynamic obfuscation
    * Detecting code theft via software similarity analysis and
  birthmarking algorithms
    * Using hardware techniques to defend software and media against
  piracy and tampering

For more about the book, including the table of contents, see
Also, see Gary's introduction:

Christian Collberg and Jasvir Nagra

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to