From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: Date: Tue, 3 Feb 2009 16:51:12 +0000 Message-ID: From: roger peppe To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [9fans] Sources Gone? Topicbox-Message-UUID: 945d61d4-ead4-11e9-9d60-3106f5b1d025 2009/2/3 erik quanstrom : >> to my mind, the biggest security vulnerability in venti >> is the ability to unconditionally enumerate an entire file tree given >> its root score. if the VtPointer data structures, or the >> scores within them, were encrypted somehow, maybe >> that vulnerability could be mitigated. scores would still >> be useful, but only in conjunction with a (salted) key. > > i'm not sure i understand. either you have the key (score) > and you can decrypt the whole cyphertext (read the file tree > below), or you don't. assuming of course that scores are too > hard to guess. so the solution is: don't give out the root score. i'm suggesting that the venti blocks containing pointers (which are well separated, by design) could be stored encrypted. so given a score, you can get a block out of venti (as now), but you need the secret key in order to be able to decrypt the scores contained within it. thus knowing a root score without knowing the secret key does not enable browsing the entire tree. obviously, you could do this for data blocks too, but then you don't get any sharing at all. > is there any other way to end up with the same pointer block > than starting with the same data? of course - two identical subtrees share the same pointer blocks, but don't necessarily share the same root. > i don't see how information could leak, information can't leak in principle, but root scores are dangerous, which is why open-access venti servers are problematic - if such a score *does* happen to leak, then unconditional access to all your data has also leaked. i guess my proposal really just boils down to a way to be able to write down scores in a not-entirely-secret place without compromising everything. > if you want users, groups and access control, isn't the fs the > place to go? i'm trying to see how doing fsey things at the > venti level would be useful, but i don't see it yet. the attraction, for me at any rate, is that certain operations are really cheap and easy in venti, but expensive in the fs. cloning/copying a multi-gigabyte tree being the canonical example.