next up previous
Next: Indexing Up: The Eternity Service Previous: Using tamper-proof hardware

Mathematics or metal?

Relying on hardware tamper resistance may be undesirable. Firstly, it is relative, and erodes over time; secondly, export controls would slow down the spread of the system; and, thirdly, special purpose low-volume hardware can be expensive. Now it is often the case that security properties can be provided using mathematics rather than metal. Can we use mathematics to build the eternity service?

Protecting the location of file copies means that location information must be inaccessible to every individual user, and indeed to every coercible subset of users. Our goal here is to use techniques such as threshold decryption and Byzantine fault tolerance, as implemented in Rampart [Rei94].

Byzantine fault tolerance means, for example, that with seven copies of the data we can resist a conspiracy of any two bad sysadmins, or the accidental destruction of four systems, and still make a complete recovery. Using Byzantine mechanisms alone, incomplete recovery would be possible after the destruction of up to six systems, but then there would be no guarantee of integrity (as such a `recovery' could be made by a bad sysadmin from bogus data).

There are some interesting interactions with cryptography. If all files are signed using a system key, then a full recovery can still be made so long as there is just one surviving true copy of the file in the system, and the public key is not subverted. Of course, it is rare to get something for nothing, and we must then make it hard to compromise the signing key (and feasible to recover from such a compromise).

We will need to provide for in-service upgrades of the cryptographic mechanisms: progress in both cryptanalysis and computer engineering may force the adoption of new signature schemes, or of longer keylengths for existing ones. We will also need to recover from the compromise of any key in the system.

Users may also want to use cryptography to add privacy properties to their files. In order to prevent a number of attacks (such as selective service denial at retrieve time) and complications (such as resilient management of authentication), the eternity service will not identify users. Thus it cannot provide confidentiality; it will be up to users to encrypt data if they wish and are able. Of course, many users will select encryption schemes which are weak, or which become vulnerable over time; and it may be hoped that this will make governments less ill-disposed towards the service.


next up previous
Next: Indexing Up: The Eternity Service Previous: Using tamper-proof hardware

Ross Anderson
Tue Jun 17 15:08:09 BST 1997