From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <0f20f6df5964a0f1e5d57d07e538316d@quintile.net> From: "Steve Simon" Date: Tue, 12 Feb 2008 17:45:19 +0000 To: 9fans@cse.psu.edu Subject: Re: [9fans] s3venti In-Reply-To: <676c3c4f0802111449h7f9e0ae7h421ea563441c7b92@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Topicbox-Message-UUID: 5176b7d6-ead3-11e9-9d60-3106f5b1d025 > For the record, s3venti does encrypt blocks that it writes to S3. It > uses a single key, making it rather vulnerable to dictionary attacks, > but I haven't come up with a way to do better without changing the > venti protocol. Suggestions are welcome. Beware: I am no security expert, I know just enough to be dangerous. Ensure you have plenty of entropy - insist on long pass phrases. sha1 this with the block number to give you the key for a particular block. This at least permutes the venti tree info blocks - its real purpose is to ensure the duplicate blocks look different when encrypted but venti doesn't have duplicate blocks as such. you could repeat the sha1 as it may be possible to infer some info given all the sha1s start with the same (or known) prefix - the pass phrase (or block number). If you are likely to have multiple ventis with the same password on the server (one for work stuff and one for home) then stir a random string into the sha1, and keep this in factotum; generate this string when the venti is initialised. your venti blocks are compressed which gives you some obscurity, guessing plaintext is not so easy but huffman tables and the like still stand out. If you want to be obsessive you could generate a block of random data, say 64k which you hold locally and xor this with your venti blocks before encryption. offset your start position in the random data by a value generated from the sha1(sha1(blocknumber, passphrase)) (eg the checksum), this would make cracking your data much harder. Note this block of random data needs to be really random, not a PRBS like rand() which is predictable. you could slowly suck bytes from /dev/random on a busy machine. as ever its a case of: how valuable is it? how long to you want to keep it secret? who are you trying to keep it secret from? caveat emptor -Steve