[tahoe-dev] a crypto puzzle about digital signatures and future compatibility
david-sarah at jacaranda.org
Fri Aug 28 04:57:44 UTC 2009
James A. Donald wrote:
> Zooko Wilcox-O'Hearn wrote:
>> On Wednesday,2009-08-26, at 19:49 , Brian Warner wrote:
>>> Attack B is where Alice uploads a file, Bob gets the filecap and
>>> downloads it, Carol gets the same filecap and downloads it, and
>>> Carol desires to see the same file that Bob saw. ... The attackers
>>> (who may be Alice and/or other parties) get to craft the filecap
>>> and the shares however they like. The attackers win if Bob and
>>> Carol accept different documents.
>> Right, and if we add algorithm agility then this attack is possible
>> even if both SHA-2 and SHA-3 are perfectly secure!
>> Consider this variation of the scenario: Alice generates a filecap
>> and gives it to Bob. Bob uses it to fetch a file, reads the file and
>> sends the filecap to Carol along with a note saying that he approves
>> this file. Carol uses the filecap to fetch the file. The Bob-and-
>> Carol team loses if she gets a different file than the one he got.
> If Bob and Carol want to be sure they are seeing the same file, have to
> use a capability to an immutable file.
> Obviously a capability to an immutable file has to commit the file to a
> particular hash algorithm.
It's obvious that the capability has to commit to a particular hash
algorithm (note that a concatenation of more than one hash might as well
be considered another algorithm). It's not obvious that the file has to
be associated with a hash algorithm at all -- the algorithm is determined
by whoever creates the capability, not the file.
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
More information about the tahoe-dev