[tahoe-dev] Question about convergence keys
zooko at zooko.com
Wed Aug 13 01:48:07 UTC 2008
I'm glad to hear that you are experimenting with Tahoe. Please do
keep us informed of your impressions of it. Your concern seems valid
if I understand it correctly. Let me see if I understand: you're
concerned that if the symmetric encryption key is just the secure hash
of the file (in the case that the added convergence secret is not used
or is the empty string), then there might be people who know the
secure hash of the file but who oughtn't be allowed to get the
plaintext of the file. For example, users may have published the
SHA-256 hashes of their files even though the files are private.
I think this is a valid concern, and this is why we use a "tagged
hash" instead of a normal hash of the file. A "tagged hash" is just
that we use some unambiguous prefix when hashing the file to separate
hash values which are used for this purpose from hash values which are
used for other purposes. Your concern can be seen as an example of
the "chosen protocol attack" , and tagging your hashes is one
defense against that attack.
This practice of ours is lightly documented in architecture.txt ,
and you can see the actual implementation and which tags we use for
which purposes and so on in hashutil.py .
P.S. In a distantly related story I'm interested to see that this
program claims that SHA-256 is less secure than Tiger-192: .
I've added a link and some notes about that to the Tahoe Bibliography
I like Tiger-192 because it is so efficient -- one third as much CPU
load as SHA-256 on these benchmarks  -- and because it emits
24-byte outputs instead of 32-byte outputs, which would fit better
into nice small caps.
More information about the tahoe-dev