[tahoe-dev] Fwd: Small-key DSA variant

Brian Warner warner at lothar.com
Thu Aug 27 02:16:46 UTC 2009


David-Sarah Hopwood wrote:

> and hence are verifiable by the same public key (their own key, that
> is, not someone else's). This is a "duplicate signature" attack in the
> terminology of <http://citeseer.ist.psu.edu/stern02flaws.html>.
> 
> Is that a valid attack on the intended security properties of Tahoe? I
> think probably not, provided that no-one expects these signatures to
> guarantee nonrepudiability.

Incidentally, one idea we've kicked around is to let mutable filecaps be
augmented with an extra hash-of-the-contents field, to turn them into
immutable filecaps. The creator could choose their own tradeoff between
cap-length and verification strength (which would include
nonrepudiability too).

A secondary motivation would be how it relates to future "LDMF" mutable
files, in which we're planning to include versioning. The readcap+hash
cap would basically point to a mutable slot (the readcap) and a specific
version of the file (the hash). The hash could be short, if you don't
mind being vulnerable to the writecap holder.

cheers,
 -Brian



More information about the tahoe-dev mailing list