[mnet-devel] Re: [web-calculus] YURLs

Zooko zooko at zooko.com
Mon Jul 21 00:46:08 BST 2003 

Note that this whole issue of using a different encryption key is *not* likely 
to be big deal in practice.  If an attacker can give you the wrong encryption 
key, then he can very likely give you the whole wrong mnet URI!

It is expected that mnet URIs will be used and shared atomically, where a 
single URI, which looks like this

mnet:38ppp56jbb8b64zrh8reoadzgn1zpdxc76enkmqduwtf4tug

contains both the inodeId and the encryption key.

So *usually*, when you receive an mnetURI, you are at the mercy of the person 
who chose the mnetURI to determine what file you ultimately fetch.

That is: if the attacker can change the key, he can also change the inodeId, 
thus directing you to a file of his choice.

However, I can imagine a situation where you are using less complete 
integrity, for example, your friend calls you on the phone and says "Hey have 
you seen that file whose URI begins with 'three eight pee pee pee five six jay 
bee bee eight bee six four zee arr aitch eight arr e oh ay dee zee gee inn'?".

Or you write an mnetURI on a beer-soaked napkin in a bar, and the attacker 
sneaks up behind you and changes a few letters, or whatever.

In those cases, it is possible that the attacker has the ability to change 
some or all of the bits of the key (which is actually the rightmost sixteen 
characters of the mnetURI) but he doesn't have the ability to change enough of 
the bits of the inodeId (the leftmost 32 characters, excluding "mnet:").

So just to be clear, there are *two* requirements that both have to hold for 
the current design to be insecure: first, the user has to receive the right 
inodeId but the wrong AES key, while believing that he has both right, and 
second the attacker has be able to generate a "funny AES key".

(Note that the brute force a funny AES key by trying random keys until one 
works requires about 2^64 attempts.)

Still, I would be happier if I could say "Any incorrect file reconstruction 
implies a SHA1 collision.", so I intend to change the design by adding the 
HMAC as discussed.

Regards,

Zooko



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
mnet-devel mailing list
mnet-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mnet-devel

More information about the Mnet-devel mailing list