[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does anyone want key-resistant tamper-evident archives?

I would certainly welcome this feature.

In a different domain - I have a similar scenario. There, I solved it by tying the hash of public key to the content that is signed+encrypted. This way, whenever a blob is decrypted (or verified), the pubkey-hash in the blob is compared to the hash of the public key used for decryption.

Colin Percival wrote:
Hi all,

Tarsnap is designed to detect if your data is modified: Archives are
cryptographically signed, and the signatures are verified before any
data is extracted.  However, this depends on the integrity of the key:
If someone has your delete and write keys, they could delete an archive
and create a new one with the same name, and (since they have the keys)
it would cryptographically validate.

It occurs to me that we could have a stronger unforgeability property
via out-of-band (non-cryptographic) verification of the archive metadata
hash; even with the keys, it would be impossible to create a different
archive which has the same hash (unless you find a SHA256 collision).  In
addition to the "stolen keys" scenario, this could be useful if you need
to prove (e.g., for auditing or legal purposes) that *you* haven't changed
an archive since the time when you created it.

Is anyone interested in having this functionality?  It seems like too
obscure a use case to write code for if nobody wants it yet, but if there's
a demand then it's definitely doable.