From: roger peppe <rogpeppe@gmail.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Subject: Re: [9fans] Sources Gone?
Date: Tue, 3 Feb 2009 16:51:12 +0000 [thread overview]
Message-ID: <df49a7370902030851l437dba7jd123cc6762ac797a@mail.gmail.com> (raw)
In-Reply-To: <f87bb981ef60f4b40f537f3ab25ac23a@quanstro.net>
2009/2/3 erik quanstrom <quanstro@quanstro.net>:
>> to my mind, the biggest security vulnerability in venti
>> is the ability to unconditionally enumerate an entire file tree given
>> its root score. if the VtPointer data structures, or the
>> scores within them, were encrypted somehow, maybe
>> that vulnerability could be mitigated. scores would still
>> be useful, but only in conjunction with a (salted) key.
>
> i'm not sure i understand. either you have the key (score)
> and you can decrypt the whole cyphertext (read the file tree
> below), or you don't. assuming of course that scores are too
> hard to guess. so the solution is: don't give out the root score.
i'm suggesting that the venti blocks containing pointers
(which are well separated, by design) could be stored encrypted.
so given a score, you can get a block out of venti
(as now), but you need the secret key in order to be able
to decrypt the scores contained within it. thus knowing a root score
without knowing the secret key does not enable browsing the entire tree.
obviously, you could do this for data blocks too, but then you
don't get any sharing at all.
> is there any other way to end up with the same pointer block
> than starting with the same data?
of course - two identical subtrees share the same pointer blocks,
but don't necessarily share the same root.
> i don't see how information could leak,
information can't leak in principle, but root scores are dangerous, which
is why open-access venti servers are problematic - if such a score
*does* happen to leak, then unconditional access to all your data has
also leaked.
i guess my proposal really just boils down to a way to be able
to write down scores in a not-entirely-secret place without
compromising everything.
> if you want users, groups and access control, isn't the fs the
> place to go? i'm trying to see how doing fsey things at the
> venti level would be useful, but i don't see it yet.
the attraction, for me at any rate, is that certain operations are
really cheap and easy in venti, but expensive in the fs.
cloning/copying a multi-gigabyte tree being the canonical example.
next prev parent reply other threads:[~2009-02-03 16:51 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-23 11:56 Gregory Pavelcak
2009-01-23 14:15 ` erik quanstrom
2009-01-23 14:54 ` lucio
2009-01-23 15:09 ` erik quanstrom
2009-01-27 22:59 ` Uriel
2009-01-27 23:32 ` Russ Cox
2009-01-28 0:58 ` Kenji Arisawa
2009-01-28 5:06 ` Uriel
2009-01-28 11:46 ` Iruata Souza
2009-01-28 12:41 ` Charles Forsyth
2009-01-28 13:53 ` erik quanstrom
2009-01-29 12:12 ` Uriel
2009-01-29 13:37 ` erik quanstrom
2009-01-29 16:45 ` Roman V. Shaposhnik
2009-01-29 16:15 ` ron minnich
2009-01-29 16:34 ` Roman V. Shaposhnik
2009-01-29 16:30 ` Roman V. Shaposhnik
2009-01-29 17:18 ` Russ Cox
2009-01-29 17:30 ` erik quanstrom
2009-01-29 17:43 ` Russ Cox
2009-01-29 17:39 ` gas
2009-01-29 21:09 ` Roman V. Shaposhnik
2009-01-29 21:42 ` erik quanstrom
2009-01-29 23:05 ` Roman V. Shaposhnik
2009-01-29 23:49 ` erik quanstrom
2009-01-30 0:28 ` Russ Cox
2009-01-30 4:46 ` [9fans] Venti and version control (Was: Sources Gone?) lucio
2009-01-30 5:18 ` [9fans] Sources Gone? lucio
2009-01-31 13:45 ` Bruce Ellis
2009-01-31 18:12 ` Akshat Kumar
2009-01-31 18:44 ` Bruce Ellis
2009-02-02 22:33 ` Roman V. Shaposhnik
2009-02-02 22:43 ` erik quanstrom
2009-02-02 23:26 ` Roman V. Shaposhnik
2009-02-02 23:39 ` erik quanstrom
2009-02-03 10:04 ` Richard Miller
2009-02-03 4:23 ` lucio
2009-02-03 5:23 ` erik quanstrom
2009-02-03 5:47 ` lucio
2009-02-03 12:54 ` erik quanstrom
2009-02-03 13:38 ` roger peppe
2009-02-03 14:01 ` erik quanstrom
2009-02-03 16:13 ` Anthony Sorace
2009-02-03 16:22 ` erik quanstrom
2009-02-03 16:51 ` roger peppe [this message]
2009-02-03 16:55 ` erik quanstrom
2009-02-03 17:30 ` Brian L. Stuart
2009-02-05 1:24 ` Roman V. Shaposhnik
2009-02-03 17:42 ` lucio
2009-02-03 17:40 ` lucio
2009-02-03 17:51 ` erik quanstrom
2009-02-04 8:40 ` sqweek
2009-02-04 16:40 ` [9fans] Some arithmetic [was: Re: Sources Gone?] Nathaniel W Filardo
2009-02-04 17:10 ` Nathaniel W Filardo
2009-02-04 17:49 ` hiro
2009-02-05 11:19 ` Dave Eckhardt
2009-02-05 17:38 ` Russ Cox
2009-02-05 17:41 ` erik quanstrom
2009-02-05 18:08 ` Roman V. Shaposhnik
2009-02-05 18:22 ` Micah Stetson
2009-02-05 18:29 ` Roman V. Shaposhnik
2009-02-05 18:31 ` erik quanstrom
2009-02-05 18:32 ` hiro
2009-01-30 4:25 ` [9fans] Sources Gone? lucio
2009-01-29 22:33 ` Russ Cox
2009-01-29 22:58 ` Roman V. Shaposhnik
2009-01-29 23:06 ` Russ Cox
2009-01-29 12:13 ` kokamoto
2009-01-27 23:11 ` Patrick Kristiansen
2009-01-28 0:11 ` Tharaneedharan Vilwanathan
2009-01-28 5:55 ` lucio
2009-01-29 18:00 erik quanstrom
2009-01-29 18:00 erik quanstrom
[not found] <2b0250f2fe16a645a4641825c2f33741@quanstro.net>
2009-02-03 17:27 ` lucio
2009-02-05 1:20 ` Roman V. Shaposhnik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=df49a7370902030851l437dba7jd123cc6762ac797a@mail.gmail.com \
--to=rogpeppe@gmail.com \
--cc=9fans@9fans.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).