Slashdot Mirror

← Back to Stories (view on slashdot.org)

Making Data Unvanish

Posted by kdawson on from the sybil-attack dept.

sertsa writes "Earlier this year a group of researchers at the University of Washington came up with a scheme to use peer-to-peer networks to store and, ultimately, to forget the keys for encrypted messages, causing them to 'Vanish.' Now a group from researchers from UT Austin, Princeton, and the University of Michigan has come up with a way to break this approach, by making a single computer appear to be many nodes on the p2p network. 'In our experiments with Unvanish, we have shown that it is possible to make Vanish messages reappear long after they should have disappeared nearly 100 percent of the time...'"

34 comments

  1. Vanishing is impossible to get by sopssa · · Score: 5, Insightful

    In my opinion Vanish didn't really serve any purpose.

    - As we all know (and what MPAA/RIIA hate), once you've got hold of the data you cannot "vanish" it. It's really easy to save a copy of it.
    - If you wanted encryption with public/private keys, theres PGP and other solutions to do it.

    So the only thing Vanish added was the impossible-to-archieve vanishing of data.

    Along with that it distributes your secret content all over the p2p network, where one machine can act as thousands of clients like to article says. I'd rather skip that and send the message directly and tell the other party to delete it, because vanishing doens't work if both parties dont do it.

    1. Re:Vanishing is impossible to get by Intron · · Score: 2, Funny

      archieve (v) To successfully complete an archive.
                    (n) Veronica's boyfriend who works at Legato.

      --
      Intron: the portion of DNA which expresses nothing useful.
    2. Re:Vanishing is impossible to get by Anonymous Coward · · Score: 0

      I'm guessing you didn't RTFA, or did not quite understand.

      The vanish technique DOES encrypt data, but distributes the KEY over a p2p network. This does not mean redundant copies of the key, but the fragments of the key being spread around.

      So no one else has your secret data except you and the recipient (and any snoopers, but they would be there anyway).

    3. Re:Vanishing is impossible to get by Nein+Volts · · Score: 0

      No purpose?? What would happen if you went about this backwards and appeared to be thousands of peers with partial information to someone sniffing about? Just a thought..

  2. MKing? by eldavojohn · · Score: 1, Funny

    Now a group from researchers from UT Austin, Princeton, and U Michigan has come up with a way to break this approach, by mking a single computer appear to be many nodes

    I've performed similar procedures. The last time I mortal kombatted my computer, it became several pieces on my floor.

    --
    My work here is dung.
    1. Re:MKing? by Anonymous Coward · · Score: 0

      That was a really poor attempt to be funneh.

  3. Sparring by spydabyte · · Score: 4, Interesting
    They certainly are sparring, see the University of Washington response:

    Update, 9/20/2009: Other researchers have recently discovered a vulnerability in our original Vanish research prototype. Their work shows that the Vuze DHT on which we built the original prototype did not provide sufficient security properties, and that there are therefore attacks that can capture Vanish keys. We released a revised prototype on September 20, 2009. This revised prototype, which distributes keys across both the Vuze DHT and OpenDHT, invalidates this attack. In addition, we are working to further strengthen Vanish from two angles: (1) by hardening the underlying DHT for Vanish-like purposes and (2) by modifying applications to make more intelligent use of DHTs. Please see our new technical report for additional information about the currently known attacks and our defenses. Due to the complexity of the systems we are relying upon, we would like to strengthen our advice that users should be cautious if they want to use Vanish. At this point, Vanish should only be used for experimental purposes. We do encourage researchers, however, to analyze it and improve upon it.

    1. Re:Sparring by sopssa · · Score: 2, Interesting

      We released a revised prototype on September 20, 2009. This revised prototype, which distributes keys across both the Vuze DHT and OpenDHT, invalidates this attack.

      But does this *really* invalidate this type of attack? It seems it just adds another p2p protocol on it, and it would still be as vulnerable as before. Only difference seems to be that the current tool just doesn't work at the moment. Approach would still be the same.

    2. Re:Sparring by vlm · · Score: 3, Interesting

      But does this *really* invalidate this type of attack? It seems it just adds another p2p protocol on it, and it would still be as vulnerable as before. Only difference seems to be that the current tool just doesn't work at the moment. Approach would still be the same.

      I think the UW folks are reading slashdot and editing their page as we speak. The page now includes the quote:

      This revised prototype, which distributes keys across both the Vuze DHT and OpenDHT, invalidates this attack. This is because OpenDHT has a closed-access model as opposed to an open-access model like Vuze, which is what drives the current attack. In addition, we are working to further strengthen Vanish from two angles:

      So, Vanish people, I know you're listening, please respond to my being unclear how a closed-access model prevents the attack as opposed to just makes it a wee bit harder for small weak opponents, not so much impact to bigger ones.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    3. Re:Sparring by Anonymous Coward · · Score: 0

      Good to hear. A major problem with stuff like that is that you get too involved in how well-designed your solution is and have trouble looking for flaws objectively.

    4. Re:Sparring by Anonymous Coward · · Score: 0

      Sybil attacks are well known. They do not indicate a fundamental weakness in the Vanish scheme, but rather the underlying p2p networks. This "attack" does not invalidate the concepts proposed in the original work.

    5. Re:Sparring by KDR_11k · · Score: 1

      This is because OpenDHT has a closed-access model as opposed to an open-access model like Vuze

      Sounds kinda ironic.

      --
      Justice is the sheep getting arrested while an impartial judge declares the vote void.
  4. Possible! by Anonymous Coward · · Score: 1, Insightful

    Vanish is possible with something like a web service which simply sends back the decrypted data.
    However, the decryption key would have to stored only in memory and strictly deleted when done.

    Vanish is completely worthless though because when I have the decrypted data I can do what I want with it.

    1. Re:Possible! by postbigbang · · Score: 1

      Then you extract the DDR2 sticks from the server, their little hearts beating still, and read the damn key. Then you let them die on the table, the key now intact, somewhere else.

      --
      ---- Teach Peace. It's Cheaper Than War.
    2. Re:Possible! by Anonymous Coward · · Score: 0

      This would imply it wasn't deleted.

    3. Re:Possible! by postbigbang · · Score: 1

      And if it were, it would still be on the physical memory.

      --
      ---- Teach Peace. It's Cheaper Than War.
    4. Re:Possible! by Anonymous Coward · · Score: 0

      (+5 "Everybody should know this but probably doesn't and never will")

  5. Like DRM by bzzfzz · · Score: 5, Insightful

    Any kind of security system that provides a limited lifetime or constrained redistribution rights for messages is, fundamentally, DRM. Therefore, it's subject to the same kinds of attacks that cause DRM to fail. Ultimately, unless you can build a trusted platform module with remote attestation that is tamper proof, there are gaps. This particular attack is, at a more abstract level, really about producing counterfeit trusted nodes. Without a TPM at each node and some way to authenticate independence through a trust hierarchy, there's no way for this to work.

  6. What is the goal of Vanish? by immakiku · · Score: 1

    From original article:

    It is technically possible to save information sent with Vanish. A recipient could print e-mail and save it, or cut and paste unencrypted text into a word-processing document, or photograph an unscrambled message. Vanish is meant to protect communication between two trusted parties, researchers say.

    The stated goal doesn't mesh well with what Vanish actually does. If the communication is happening between two trusted parties, each party can trust the other to delete the information within a given time-frame.

    It sounds more like distributing trust among multiple nodes, so that any of the nodes can destroy the information at will. I believe this has idea has been done before, and this sounds like a variation on a theme. Or perhaps this is not exploiting any new property of math, but rather drafting a protocol upon it for a given purpose (destroying information after time)

    1. Re:What is the goal of Vanish? by Narpak · · Score: 1

      Vanish is meant to protect communication between two trusted parties, researchers say.

      I guess it all comes down to what more important. If you want convenience then you're always limiting your level of security. So far there are very few ways to send encrypted messages over the internet that can not be intercepted and decrypted by someone who are truly dedicated (and funded) to do that.

      If two parties want to communicate and value security above convenience then I would recommend One-Time Pads.

      --
      The Long Now Foundation
    2. Re:What is the goal of Vanish? by Monkeedude1212 · · Score: 0

      It DOES do what its goal is. The idea is that you are sending something over the cloud, or a P2P networking system. Any number of hackers, Crackers, sniffers or whatever could tap in and get your data. So we designed Encryption, take that Hackers! Problem is, hackers are finding ways to break through encryption mainly by, finding the key which is usually transfered somewhere attached to the encrypted message, or even sent through a seperate protocol.

      What Vanish does it take the Encrypted message, and send it. The key is then dispersed amongst A whole lot of computers in the Cloud, so no one computer has the whole key. When the trusted reciever wants to decrypt, they've got to go through Vanish and get the whole key. Vanish sets it up so that parts of the key will delete itself over time, thus destroying the message after a certain point. So even if someone managed to find half of the key in a day by hacking the P2P system and searching through all the computers for the key its looking for, it might not be quick enough and the rest of the key will be lost.

      What the researchers are saying is that using their new system they set up, the Keys aren't being destroyed. Whenever one computer gets a part of the Key, it stores it. Then because its masquerading as a large number of PC's, it will eventually get many parts of that key, and voila, it has the whole key, stored on that computer.

      Vanish is saying that they're adding complexity by making Vanish use different file sharing networks - but UnVanish is claiming that while it makes the attack a little more expensive - it doesn't change the fundamental flaw that the key can still be found this way.

    3. Re:What is the goal of Vanish? by vlm · · Score: 1

      Pretty good, except for thinking "the key" must be the little bit of key data stored by the vanish system.

      What you could do, is concatenate your "real" secret key, maybe just some low entropy english text like "I love cowboy neal" with the Vanish key. Then feed that thru a nice oneway hash. Then use the hashed value as the encryption key.

      Probably your crypto algorithm can tolerate a key that is predictable dictionary english text. Maybe not. If not, now you have an interesting way to distribute a unique salt with each encrypted file. Interesting in that the salt value MIGHT disappear permanently. Maybe.

      It won't be less secure than just putting the salt value in the subject line of the email. But, having it disappear MIGHT improve security.

      I have no idea if Vanish does this, but it seems like an obvious next step to consider. I only put about 5 minutes thought into it, so maybe it won't work. But the idea of an attempt at a disappearing salt is fun idea to think about.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    4. Re:What is the goal of Vanish? by supersat · · Score: 1

      The stated goal doesn't mesh well with what Vanish actually does. If the communication is happening between two trusted parties, each party can trust the other to delete the information within a given time-frame.

      The problem isn't with the trusted parties, but with the intermediaries. For example, if you send someone an encrypted email through GMail, even if the recipient deletes the data, Google might keep a backup. The recipient could then be compelled to produce the key.

      Disclaimer: I'm in the same research group that produced Vanish, but I am not part of the project.

  7. Who'dve thought it? by julesh · · Score: 2, Funny

    A DRM scheme that doesn't work? That's totally amazing.

  8. Orange book... by NCamero · · Score: 3, Informative

    Orange book:

    A-
    You are are a single communication construct. No one outside the circle of trust has any idea what is communicated.

    B-
    You are in a network (circle) of trust. moving data to each other is logged, and allowed/censored.

    C-
    A typical LAN with verifiable security.

    D-
    The internet, a net work of networks. Data can 'vanish', as a function of time/money spent on keeping the data stored.

    Read the data security handbook summarized:
    http://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria

  9. Freenet by westlake · · Score: 1, Interesting

    Now a group...has come up with a way to break this approach, by making a single computer

    I have often wondered if Freenet would be vulnerable to such an attack.

    Freenet needs the super-user with generous amounts of storage and bandwidth.

    Which its well-funded adversaries can provide in spades. Thousands of nodes. Tens of thousands of nodes. Hundreds...

    It seems that sooner or later they would be capturing enough of the traffic to begin putting the pieces together - or sending them into the void.

    1. Re:Freenet by sowth · · Score: 1

      Which is likely why they started suggesting people use it as a darknet--connect only to people / nodes you know.

    2. Re:Freenet by DMUTPeregrine · · Score: 1

      Hmm, discussion of that can't possibly be in the Freenet FAQ.

      --
      Not a sentence!
    3. Re:Freenet by westlake · · Score: 1

      Which is likely why they started suggesting people use it as a darknet--connect only to people / nodes you know.

      But how well do you know them - and how far can you trust them? It strikes me that with each node the "web of trust" becomes more fragile.

      If I know from other sources that A, B and C are as thick as thieves and that C, E and F are much the same - then perhaps the darknet is not so very dark at all.

  10. Sybil! by Anonymous Coward · · Score: 1, Insightful

    Unmodified Kademlia is vulnerable to Sybil attacks. *yawn* We kind of already knew that. There are various mitigations you can put in place. For example, if you've got the same IP address appearing twice in the routing tables, you have a major problem.

    That doesn't mean that I think the general idea of Vanish is a sound one - it's rather silly, and a trusted client problem like all DRM techniques to which it is a close analog, so it's doomed from the start to some extent. All you have to do to defeat it is log the keys, which is completely undetectable and provides no disadvantage to you. And the advantage of a logging node is clearly and immediately obvious, so if it ever became "real", it's a game everyone would cheat in.

    A nice toy, but a thoroughly pointless construct.

  11. emo by jDeepbeep · · Score: 1

    I've performed similar procedures. The last time I mortal kombatted my computer, it became several pieces on my floor.

    A computer once beat me at chess, but it was no match for me at kick boxing.
    --Emo Philips

    --
    Reply to That ||
  12. Obvious attack by gweihir · · Score: 1

    Most P2P anonymity/privacy only works if a majority of the nodes is honest. The obvious way to attack is therefore to sumulate a lot of noted on one phycical node. Any sane system therefore contains detection for this attack. Incidentially, this knowledge is at least half a decade old. Seems to me some people did not do their literature search.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  13. proportional trust by Anonymous Coward · · Score: 0

    it would be interesting to use some other metric, like computing a work unit (could make it very expensive to masquerade many nodes).

    or even linking it to something in RL, difficult but possible. say you could use some metric from their facebook account? anyway by having some measure of how certain you are of their authenticity, and their different neighbours, which might have varying levels of relative trust; you could store a proportional amount of the key with them.

    one interesting consideration is this could be quite asymmetric, you might trust them more than they trust you? and it may not observe transitive properties ect.

    has this been done?

  14. How did the axiom go? by Arancaytar · · Score: 1

    "There is no security model that protects against a scenario where the intended recipient is the attacker" or something?

    Plausible deniability has at least been achieved with OTR, but for DRM this concept remains as valid as ever.

    Unless computer chips come sealed in tamper-proof self-destructive foam, and opening a computer case or building circuit boards without authorization is declared a felony. I suppose that could work... for a while.