[tahoe-dev] Using a cipher cascade (was: survey on side-channel attacks)

Zooko O'Whielacronx zookog at gmail.com
Tue Jan 5 07:37:34 UTC 2010

On Tue, Jan 5, 2010 at 12:19 AM, Zooko Wilcox-O'Hearn <zooko at zooko.com> wrote:
> That said, I don't *think* the current use cases for Tahoe-LAFS make
> the users vulnerable to the known timing attacks on AES (especially
> given that the AES implementation that we use [5] has a defense
> against remote timing attacks).  This is because people who need to
> keep control of their own files use a gateway running on their own
> computer so they are not vulnerable to someone else accessing their
> files.

I guess this assumption of mine will have to change if people start
using Tahoe-LAFS in the "cloud computing" reliance model where they
don't mind being vulnerable to the owner of the gateway machine, but
they do mind being vulnerable to that owner's other customers. This is
one of the possibilities mentioned in Aaron Cordova's HadoopWorld talk
[1], and it is the sort of reliance model that a lot of other people
seem to be keen on, which is why research like [2] is important since
it threatens that model.

Anyway, the timing issues in AES have to be revisited if you want to
support that model.  Also, I suppose, if there is the possibility that
the attacker could arrange to run his code on your machine that runs
your web gateway (hm...).  Not coincidentally, some of the researchers
working on this "customers attacking one another in the cloud" angle
are also working on AES timing attacks.

In any case, I'm pretty sure that we ought to use a cipher combiner
for the next revision in the same way that we ought to use a hash
function combiner [3].



[1] http://www.cloudera.com/sites/all/themes/cloudera/static/hw09/3%20%20-%202-30%20Aaron%20Cordova,%20BAH,%20HadoopWorldComplete.pdf
[2] Ristenpart et al.: "Hey, You, Get Off of My Cloud"
[3] "hedging our bets -- in case SHA-256 turns out to be insecure"

More information about the tahoe-dev mailing list