@janeannford My motive is to help the best crypto get in this project. I did get a little annoyed when I wrote the “straw man” post because @dirvine did not addresss my concerns and instead addressed what were to me straw men. It may have been the result of a misunderstanding, though. I did try to lay my emotions aside, but some may have leaked.
LOL
Anyways, I don’t understand the XOR part enough to give you a specific example of an attack on it. What I’m saying is that we’ve both agreed that, without the XOR, the scheme is insecure. So, the XOR is providing security. So, there are two points of failure: an attack on AES or an attack on the XOR part.
I wouldn’t mind the XOR so much if it really was just fluff – that is, if it was attacked, then an attacker would still have to attack AES. That is not the case – if an attack breaks XOR, there is an attack that bypasses AES.
At a higher level, why have an XOR step? If one is worried about AES being broken, why not encrypt using a different cipher as well? To choose the XOR over that, one would have to claim that the XOR process (for which I don’t see public peer-review) is more secure than that other cipher (many of these with peer-review exist).
Don’t worry, thanks for trying to not attack, but there is a load of explanations about this and then the code the code, it’s 100% what we do and very easy to read now.
No we are not (sorry), without XOR etc. its convergent encryption with AES. You really need to take that up with convergent encryption papers and those who have created it etc. Take this paper as a start in explaining it. If you check who is using this like Takeo LFS etc. which is also open source, you an also ask there why it’s secure. I think there is a ton of info out there to start with.
The XOR step is a non algorithmic cipher obfuscation step, you need to say why this is insecure, it turns the problem from breaking an algorithm to a guess alone.
You cannot break XOR, its a very simple logic operation. You can break XORED info if you know two parts of it or one and guess the other (see perfect secrecy or OTP), it’s described in many places. The link I provided on XOR networking explains it.
So lets start with a definite position. Do you believe convergent encryption is fundamentally broken? Convergent encryption - Wikipedia (check the references) Look at the attacks on it then look back at what we do.
No – I don’t think it’s fundamentally broken (aside from confirmation attacks). I’m actually advocating that you follow convergent encryption more closely. In fact, it’s because you stray from convergent encryption that there is a simple attack on the scheme (without the XOR part) that we agreed on a while back:
To which you responded:
If the scheme used H(c_i) to encrypt c_i (instead of using hashes of surrounding blocks), then it would be convergent encryption as described in your link (and it would not suffer from the proposed attack).
I agree and I am trying hard to agree to a bent (very bent) version of the algorithm to help you explore. I do not believe where in the file the hash is taken for convergent encryption makes any difference at all as you suggest. You were making the point if you had a bit of the file (somehow) and could know what other part would be computed next, even if you can you do not know the output hash so need to find that. It’s a huge put down your gun and now try and shoot me type thing.
I can see I should not allow the conversations we have in the office be had on a forum, it is easy for us in house to say stuff like imagine we can break AES, imagine we know your MAID ID, image we are over your shoulder etc. it is necessary to help find attacks. But as you use this mechanism in a forum like this, then you can see folks (not many) saying see see its all broken. If I am saying take away any parts of the system I am saying it won’t work (the system), but proceed with the analysis. Not anything else.
Perhaps its best if you can get to somewhere that you understand completely what we have done and then you will be in the position of the peer reviewers that have taken part. You cannot ask somebody to remove stuff from a system then act in that manner. If we remove XOR then the attacks in convergent encryption apply, I gave you the link to show that. It does not mean convergent encryption is broken, every encryption cipher has attacks, its essential to analyse them.
You are saying remove XOR - see I can attack it and then say XOR is fluff, so what is it? I think you are being extremely biased and very unscientific here, while demanding formal proofs which all together seem to make no sense.
Actually, the attack only works on this specific scheme of convergent encryption (i.e., self encryption), not the one you gave in the StorageSS paper or the wiki link (i.e., use hash of c_i to encrypt c_i). Why not use their method to reduce your attack surface and not have to rely on the XOR to prevent known attacks?
(And note: this attack is many times easier than breaking AES or getting physical access to a machine.)
Ok then I will send you a chunk and you can tell me what the content is. Thats half the job done for you, you will have the actual post encryption hash then. Then you can prove all the cryptographers wrong You will be famous!
I already described how to attack the scheme without the XOR and how to make it stronger by just following what your 3rd party links are saying. What do you have to say to that?
I am looking forward to your formal proof and of course you actually providing an attack. Show how hashing part of a file is less secure than the whole (or is it?). Perhaps break a chunk, or show your workings on where SHA breaks down and is not secure across an address range. Perhaps a wee bit of code to prove it, shouldn’t be hard to write. The conversation needs to end here until you do some research.
@joas How is that agreeing? The first time was a misinterpretation of @dirvine’s responses, clearly. Where is the second time he agreed. He uses the words “I agree” but not in that sense, so I think again you are misinterpreting. He has though challenged you to present an attack more than once.
David is incredibly busy, and I hope will now feel able to get back to other tasks. Its very difficult to have discussions of merit on this kind of stuff unless both parties have done their research, and that means you! If you really believe what you say, you need to demonstrate it and not keep asking others to disprove it.
This is classic attention deviation: (the final arguments in the post contain conclusion)
@joas having no consideration for technical aspects of the concern, and also by this individual’s not allocating personal resource to prove his arguments, then this is calling to action others to do what could be futile and a waste of time; thus,
So just wait and see whoever you are @Joas or mobilize yourself and show everyone;
@dirvineis already on his way to showing and proving… so this conversation and
@joas call to action is not valuable in any way shape or form;
Conclusively, it is useless to foster continued discussion about this, and fueling additional replies to this technique of diverting attention.
Any further replies by @joas will be only calling to action further futility since they do not contain a proof of claims
Additionally, further communication with @joas will simply illuminate criteria, and criteria is required for a psychology attacker to continue onslaught.
my just typing these things is adding criteria, so I suggest futher communication be ceased.
I’m guessing that you missed that or think it is not formal enough?
Anyways, here is a formal description of an attack on the scheme without the XOR:
To summarize the encryption process, a chunk c_i is encrypted as follows: e_i = EH(ci-1 ++ ci+1)(c_i), for all i. E and H are publically known block ciphers and hash functions respectively (AES and SHA, I believe)
The attack proceeds as follows:
For some j, the attacker wants to decrypt ej but only has ej, cj - 1 and cj + 1
(we’re assuming a known plaintext attack, but certain circumstances, it might not even be needed). That is, the attacker knows the neighboring plaintexts, but not that of the one he wants.
Attacker computes E-1H(cj-1 ++ cj+1)(ej) = cj, and retrieves the plaintext for ej
@joas time to put up or shut up as they say. We’ve spent enough time responding to your points and you are just rehashing the same position without, as @dallyshalla points out, putting your own effort in, when clearly that is the most effective action you could take for your own stated purpose of making the system as secure as possible. @dirvine has already established the voraciousness of the method and the code through reviews by experts. Before you can expect to challenge that you need to have more something to offer than constant questions for others.
This is getting ridiculous. This attack was my own effort. I also proposed a simple change to defend against this attack. I can’t see what else to do or show.
Then (after already agreeing that my attack sketch worked), everyone wants a formal attack description. I just gave one. Now you’re complaining that I gave a formal attack description and I’m “rehashing” previous points – instead of actually addressing the attack or the proposal to defend against it.
You described what you say is an attack, but David disagrees and says the algorithm is secure against that, and that he believes this is sound because it has been corroborated. There is nothing for “us” to defend against, so its down to you to show you do in fact have a valid attack.
Once again @dirvine and his enormous ego lay down the law for us.
Down with this sort of thing!!!
Anyone with any inkling of musical knowledge knows “Six Days on the Road” is the only trucking song anyone ever needs. Six Days on the Road
I’m out of here if this man @dirvine and his ego are not brought under control.
