[tahoe-dev] cleversafe says: 3 Reasons Why Encryption isOverrated

Jason Resch jresch at cleversafe.com
Mon Aug 10 16:20:05 UTC 2009

james hughes wrote:
> On Aug 6, 2009, at 1:52 AM, Ben Laurie wrote:
> > Zooko Wilcox-O'Hearn wrote:
> >> I don't think there is any basis to the claims that Cleversafe makes
> >> that their erasure-coding ("Information Dispersal")-based system is
> >> fundamentally safer, e.g. these claims from [3]: "a malicious party
> >> cannot recreate data from a slice, or two, or three, no matter what 
> >> the
> >> advances in processing power." ... "Maybe encryption alone is 'good
> >> enough' in some cases now  - but Dispersal is 'good always' and
> >> represents the future."
> >
> > Surely this is fundamental to threshold secret sharing - until you 
> > reach
> > the threshold, you have not reduced the cost of an attack?
> Until you reach the threshold, you do not have the information to 
> attack. It becomes information theoretic secure.

With a secret sharing scheme such as Shamir's you have information theoretic security.  With the All-or-Nothing Transform and dispersal the distinction is there is only computational security.  The practical difference is that though 2^-256 is very close to 0, it is not 0, so the possibility remains that with sufficient computational power useful data could be obtained with less than a threshold number of slices.  The difficulty of this is as hard as breaking the symmetric cipher used in the transformation.

> They are correct, if you lose a "slice, or two, or three" that's fine, 
> but once you have the threshold number, then you have it all. This 
> means that you must still defend the site from attackers, protect your 
> media from loss, ensure your admins are trusted. As such, you have 
> accomplished nothing to make the management of the data easier.

Is there any data storage system which does not require some protection against attackers, resiliency to media failure, and trusted administrators?  Even in a systems where one encrypts the data and focuses all energy on keeping the key safe, the encrypted copies must still be protected for availability and reliability reasons.

The security provided by this approach is only the icing on the cake to the other benefits of dispersal.  Dispersal provides extremely high fault tolerance and reliability without the large storage requirements of making copies.  See this paper "Erasure Coding vs. Replication: A Quantitative Comparison" by the creators of OceanStore for a primer on some of the advantages: http://www.cs.rice.edu/Conferences/IPTPS02/170.pdf

> Assume your threshold is 5. You lost 5 disks... Whose information was 
> lost? Anyone? Do you know?

If a particular "vault" (Our term for a logical grouping of data on which access controls may be applied) had data stored on on a threshold number of compromised drives, then data in that vault would be considered compromised.  Our systems tracks which vaults have data on which machines through a global set of configuration information we call the Registry.

> What if the 5 drives were lost over 5 
> years, what then?

When drives or machines are known to be lost or compromised one may perform a read and overwrite of the peer-slices.  This makes obsolete any slices attackers may have accumulated up until that point.  This is due to the fact that the AONT is a random transformation, and newly generated slices cannot be used with old ones to re-create data.  Therefore this protocol protects against slow accumulation of a threshold number of slices over time.

> CleverSafe can not provide any security guarantees 
> unless these questions can be answered. Without answers, CleverSafe is 
> neither Clever nor Safe.
> Jim

Please let me know if you have any additional questions regarding our technology.

Best Regards,

Jason Resch

More information about the tahoe-dev mailing list