cleversafe says: 3 Reasons Why Encryption is Overrated

Zooko Wilcox-O'Hearn zooko at zooko.com
Sun Aug 9 13:48:20 PDT 2009 

[dropped tahoe-dev from Cc:]

On Thursday,2009-08-06, at 17:08 , james hughes wrote:

>Until you reach the threshold, you do not have the information to  
>attack. It becomes information theoretic secure.

This is true for information-theoretically secure secret sharing, but  
not true for Cleversafe's technique of composing an All-Or-Nothing- 
Transform with Reed-Solomon erasure coding.

>CleverSafe can not provide any security guarantees unless these  
>questions can be answered. Without answers, CleverSafe is neither  
>Clever nor Safe.

Hey, let's be nice.  Cleversafe has implemented a storage system  
which integrates encryption in the attempt to make it safer.  They  
GPL at least some of their work [*], and they publish their ideas and  
engage in discussion about them.  These are all good things.  My  
remaining disagreements with them are like this:

1.  (The important one.)  I don't think the access control policy of  
"whoever can access at least K of the N volumes of data" is the  
access control policy that I want.  For one thing, it immediately  
leads to the questions that James Hughes was asking, about who is  
authorized to access what servers.  For another thing, I would really  
like my access control policy to be fine-grained, flexible, and  
dynamic.  So for example, I'd like to be able to give you access two  
three of my files but not all my other files, and I'd like you to  
then be able to give your friend access to two of those files but not  
the third.  See Brian Warner's and Jason Resch's discussion of these  
issues: [1, 2].

2.  Cleversafe seems to think that their scheme gives better-than- 
computational security, i.e. that it guarantees security even if  
AES-256 is crackable.  This is wrong, but it is an easy mistake to  
make!  Both Ben Laurie and James Hughes have jumped to the conclusion  
(in this thread) that the Cleversafe K-out-of-N encoding has the same  
information-theoretic security that secret-sharing K-out-of-N  
encoding has.

3.  Cleversafe should really tone down the Fear Uncertainty and Doubt  
about today's encryption being mincemeat for tomorrow's  
cryptanalysts.  It might turn out to be true, but if so it will be  
due to cryptanalytic innovations more than due to Moore's Law.  And  
it might not turn out like that -- perhaps AES-256 will remain safe  
for centuries.  Also, Cleversafe's product is not more secure than  
any other product against this threat.

It is hard to explain to non-cryptographers how much they can rely on  
the security of cryptographic schemes.  It's very complicated, and  
most schemes deployed have failed due to flaws in the surrounding  
system, engineering errors or key management (i.e. access control)  
problems.  Nobody knows what cryptanalytic techniques will be  
invented in the future.  My opinion is that relying on well- 
engineered strong encryption to protect your data is at least as safe  
alternatives such as keeping the data on your home computer or on  
your corporate server.  The Cleversafe FUD doesn't help people  
understand the issues better.

Regards,

Zooko

[1] http://allmydata.org/pipermail/tahoe-dev/2009-July/002482.html
[2] http://allmydata.org/pipermail/tahoe-dev/2009-August/002514.html

[*] Somebody stated on a mailing list somewhere that Cleversafe has  
applied for patents.  Therefore, if you want to use their work under  
the terms of the GPL, you should also be aware that if their patents  
are granted then some of what you do may be subject to the patents.   
Of course, this is always true of any software (the techniques might  
be patented), but I thought it was worth mentioning since in this  
case the company authoring the software is also the company applying  
for patents.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list