Re: [p2p-hackers] convergent encryption reconsidered -- salting and key-strengthening

2008-04-02 Thread zooko
On Mar 31, 2008, at 4:47 AM, Ivan Krstić wrote: Tahoe doesn't run this service either. I can't use it to make guesses at any of the values you mentioned. I can use it to make guesses at whole documents incorporating such values, which is in most cases a highly non-trivial distinction. The way

Re: [p2p-hackers] convergent encryption reconsidered

2008-03-31 Thread Victor Duchovni
On Sun, Mar 30, 2008 at 05:13:07PM -0400, Ivan Krsti?? wrote: That's a brute force search. If your convergence key, instead of being a simple file hash, is obtained through a deterministic but computationally expensive function such as PBKDF2 (or the OpenBSD bcrypt, etc), then step 3

Re: [p2p-hackers] convergent encryption reconsidered

2008-03-31 Thread James A. Donald
Ivan Krsti? wrote: 1. take partially known plaintext 2. make a guess, randomly or more intelligently where possible, about the unknown parts 3. take the current integrated partial+guessed plaintext, hash to obtain convergence key 4. verify whether that key exists in the storage index 5. if

Re: [p2p-hackers] convergent encryption reconsidered -- salting and key-strengthening

2008-03-31 Thread Ivan Krstić
On Mar 30, 2008, at 9:37 PM, zooko wrote: You can store your True Name, credit card number, bank account number, mother's maiden name, and so forth, on the same server as your password, but you don't have to worry about using salts or key strengthening on those latter secrets, because the server

Re: [p2p-hackers] convergent encryption reconsidered

2008-03-31 Thread Ivan Krstić
On Mar 31, 2008, at 6:44 AM, James A. Donald wrote: Better still, have a limited supply of tickets that enable one to construct the convergence key. Enough tickets for all normal usage, but not enough to perform an exhaustive search. [...] If you give the ticket issuing computers an

Re: [p2p-hackers] convergent encryption reconsidered

2008-03-30 Thread Ivan Krstić
On Mar 20, 2008, at 3:42 PM, zooko wrote: They extended the confirmation-of-a-file attack into the learn-partial-information attack. In this new attack, the attacker learns some information from the file. This is done by trying possible values for unknown parts of a file and then

Re: [p2p-hackers] convergent encryption reconsidered

2008-03-30 Thread Leichter, Jerry
| They extended the confirmation-of-a-file attack into the | learn-partial-information attack. In this new attack, the | attacker learns some information from the file. This is done by | trying possible values for unknown parts of a file and then | checking whether the result

Re: [p2p-hackers] convergent encryption reconsidered

2008-03-30 Thread Ivan Krstić
On Mar 30, 2008, at 3:12 PM, Leichter, Jerry wrote: How would that help? Unless I'm misunderstanding Zooko's writeup, he's worried about an attacker going from a partially-known plaintext (e.g. a form bank letter) to a completely-known plaintext by repeating the following process: 1.

Re: [p2p-hackers] convergent encryption reconsidered

2008-03-26 Thread zooko
Jim: Thanks for your detailed response on the convergent encryption issue. In this post, I'll just focus on one very interesting question that you raise: When do either of these attacks on convergent encryption apply?. In my original note I was thinking about the allmydata.org Tahoe