[tahoe-dev] a crypto puzzle about digital signatures and future compatibility

David-Sarah Hopwood david-sarah at jacaranda.org
Fri Aug 28 04:57:44 UTC 2009

James A. Donald wrote:
> Zooko Wilcox-O'Hearn wrote:
>> On Wednesday,2009-08-26, at 19:49 , Brian Warner wrote:
>>> Attack B is where Alice uploads a file, Bob gets the filecap and  
>>> downloads it, Carol gets the same filecap and downloads it, and  
>>> Carol desires to see the same file that Bob saw. ... The attackers  
>>> (who may be Alice and/or other parties) get to craft the filecap  
>>> and the shares however they like. The attackers win if Bob and  
>>> Carol accept different documents.
>> Right, and if we add algorithm agility then this attack is possible  
>> even if both SHA-2 and SHA-3 are perfectly secure!
>> Consider this variation of the scenario: Alice generates a filecap  
>> and gives it to Bob.  Bob uses it to fetch a file, reads the file and  
>> sends the filecap to Carol along with a note saying that he approves  
>> this file.  Carol uses the filecap to fetch the file.  The Bob-and- 
>> Carol team loses if she gets a different file than the one he got.
> If Bob and Carol want to be sure they are seeing the same file, have to
> use a capability to an immutable file.
> Obviously a capability to an immutable file has to commit the file to a 
> particular hash algorithm.

It's obvious that the capability has to commit to a particular hash
algorithm (note that a concatenation of more than one hash might as well
be considered another algorithm). It's not obvious that the file has to
be associated with a hash algorithm at all -- the algorithm is determined
by whoever creates the capability, not the file.

David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

More information about the tahoe-dev mailing list