科技回声

9 条评论

pvg2 个月前

Less pdfblobby blog post <a href="https://www.daemonology.net/blog/2025-03-21-Chunking-attacks-on-Tarsnap.html" rel="nofollow">https://www.daemonology.net/blog/2025-03-21-Chunking-attacks...</a>

评论 #43438957 未加载

评论 #43441144 未加载

dchest2 个月前

This is great, thank you! This was on my wishlist for a few years:<a href="https://www.reddit.com/r/crypto/comments/7imejm/monthly_cryptography_wishlist_thread_december_2017/dr00e10/" rel="nofollow">https://www.reddit.com/r/crypto/comments/7imejm/monthly_cryp...</a>I've tried to take a stab at this problem, but was not sure if it worked at all:<a href="https://gist.github.com/dchest/50d52015939a5772497815dcd33a7983" rel="nofollow">https://gist.github.com/dchest/50d52015939a5772497815dcd33a7...</a>It's a modified BuzHash with the following changes:- Substitution table is pseudorandomly permuted (NB: like Borg).- Initial 32-bit state is derived from key.- Window size slightly varies depending on key (by ~1/4).- Digest is scrambled with a 32-bit block cipher.I also proposed adding (unspecified) padding before encrypting chunks to further complicate discovering their plaintext lengths. Glad to see I was on the right track :)

mananaysiempre2 个月前

> I'm also exploring possibilities for making the chunking provably secure.Seems like that’s possible[1] to do in a fairly straightforward manner, the question is if you can do this without computing a PRF for each byte.[1] Obviously you’re always going to leak the total data size and the approximate size of new data per each transfer.

评论 #43440100 未加载

masfuerte2 个月前

Could this be mitigated by randomising the block upload order?A fresh backup will be uploading thousands of blocks. You don't want to create all the blocks before uploading, but a buffer of a hundred might be enough?

评论 #43440080 未加载

0cf8612b2e1e2 个月前

Having not read the paper, does this impact Restic or Borg which encrypt chunks?

评论 #43439791 未加载

评论 #43440124 未加载

amarshall2 个月前

My reading is that the primary vector is based on the size of the chunks (due to deterministic chunking and length-preserving encryption). Would padding chunks with random-length data (prior to encryption) help mitigate this at the cost of additional storage (and complexity)?

评论 #43442762 未加载

评论 #43448259 未加载

jszymborski2 个月前

Would SipHash be too slow? I think it would help mitigate the problem since you can key it to prevent known-plaintext attacks, right?EDIT: or maybe this keyed rolling hash <a href="https://crypto.stackexchange.com/questions/16082/cryptographically-secure-keyed-rolling-hash-function" rel="nofollow">https://crypto.stackexchange.com/questions/16082/cryptograph...</a>

ThomasWaldmann2 个月前

borg discussion + wiki page:<a href="https://github.com/borgbackup/borg/discussions/8694" rel="nofollow">https://github.com/borgbackup/borg/discussions/8694</a>

pbsd2 个月前

In page 10, should the ring R be GF(2)[X]/(X^32-1) and the map p be from {0,1}^{32} to R?

评论 #43446622 未加载

9 条评论

pvg2 个月前

Less pdfblobby blog post <a href="https://www.daemonology.net/blog/2025-03-21-Chunking-attacks-on-Tarsnap.html" rel="nofollow">https://www.daemonology.net/blog/2025-03-21-Chunking-attacks...</a>

评论 #43438957 未加载

评论 #43441144 未加载

dchest2 个月前

mananaysiempre2 个月前

评论 #43440100 未加载

masfuerte2 个月前

评论 #43440080 未加载

0cf8612b2e1e2 个月前

Having not read the paper, does this impact Restic or Borg which encrypt chunks?

评论 #43439791 未加载

评论 #43440124 未加载

amarshall2 个月前

评论 #43442762 未加载

评论 #43448259 未加载

jszymborski2 个月前

ThomasWaldmann2 个月前

borg discussion + wiki page:<a href="https://github.com/borgbackup/borg/discussions/8694" rel="nofollow">https://github.com/borgbackup/borg/discussions/8694</a>

pbsd2 个月前

In page 10, should the ring R be GF(2)[X]/(X^32-1) and the map p be from {0,1}^{32} to R?

评论 #43446622 未加载

Chunking Attacks on File Backup Services Using Content-Deﬁned Chunking [pdf]

9 条评论

Chunking Attacks on File Backup Services Using Content-Deﬁned Chunking [pdf]

9 条评论