Re: convergent encryption reconsidered

2008-03-31 Thread Ludovic Court├Ęs
Hi,

Sorry for arriving late into this thread...

zooko [EMAIL PROTECTED] writes:

The Learn-Partial-Information Attack

 They extended the confirmation-of-a-file attack into the
 learn-partial-information attack. In this new attack, the
 attacker learns some information from the file. This is done by
 trying possible values for unknown parts of a file and then
 checking whether the result matches the observed ciphertext.
 For example, if you store a document such as a form letter from
 your bank, which contains a few pages of boilerplate legal text
 plus a few important parts, such as your bank account number
 and password, then an attacker who knows the boilerplate might
 be able to learn your account number and password.

I don't see how this would work.  It's different from a dictionary
attack because it looks for partial matches, as opposed to exact
matches.

Suppose you have one (sensitive) file that contains
boilerplatesecret and another than contains
boilerplateplaceholder.  They have different hashes, hence
different ciphertexts through convergent encryption.  How would one get
access to the plaintext of the former when knowing only the latter?

Now, let's assume that said files were split into two blocks before
being convergent-encrypted, namely boilerplate and secret for
the former, and boilerplate and placeholder for the latter.  The
confirmation-of-a-file (or rather confirmation-of-a-block) attack
does work, but it does not reveal anything about the secret.


I'm not sure about Tahoe, but the scheme I had in mind in my thesis was
to allow anyone to choose whatever encoding is used [0].  This means
that one could choose the algorithm used to split input files into
blocks, whether to compress the input file or individual blocks, what
compression algorithm to use, what hash and cipher algorithm to use,
etc.  With that level of freedom, these two attacks are a lesser threat
(one might argue that, in practice, many people would use the default
settings, which would make them potential victims and attackers of each
other...).

Thanks,
Ludovic.

[0] http://www.fdn.fr/~lcourtes/phd/phd-thesis.pdf, e.g., Section 4.3.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: convergent encryption reconsidered

2008-03-21 Thread Leichter, Jerry
|...Convergent encryption renders user files vulnerable to a
|confirmation-of-a-file attack. We already knew that. It also
|renders user files vulnerable to a learn-partial-information
|attack in subtle ways. We didn't think of this until now. My
|search of the literature suggests that nobody else did either.
The way obvious in retrospect applies here:  The vulnerability is
closely related to the power of probable plaintext attacks against
systems that are thought to be vulnerable only to known plaintext
attacks.  The general principle that needs to be applied is:  In any
cryptographic setting, if knowing the plaintext is sufficient to get
some information out of the system, then it will also be possible to get
information out of the system by guessing plaintext - and one must
assume that there will be cases where such guessing is easy enough.

-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]