Re: Does anyone want key-resistant tamper-evident archives?

[Stephen <mailman@tuxcon.com>]

I would be interested in this mainly for the "prove that files have
not been modified" aspect - I'm only not interested in the other
components because my delete + read keys live offline. Otherwise, I
could also see a use-case for that :)

On Wed, 07 Sep 2016, Colin Percival wrote:

> Hi all,
> 
> Tarsnap is designed to detect if your data is modified: Archives are
> cryptographically signed, and the signatures are verified before any
> data is extracted.  However, this depends on the integrity of the key:
> If someone has your delete and write keys, they could delete an archive
> and create a new one with the same name, and (since they have the keys)
> it would cryptographically validate.
> 
> It occurs to me that we could have a stronger unforgeability property
> via out-of-band (non-cryptographic) verification of the archive metadata
> hash; even with the keys, it would be impossible to create a different
> archive which has the same hash (unless you find a SHA256 collision).  In
> addition to the "stolen keys" scenario, this could be useful if you need
> to prove (e.g., for auditing or legal purposes) that *you* haven't changed
> an archive since the time when you created it.
> 
> Is anyone interested in having this functionality?  It seems like too
> obscure a use case to write code for if nobody wants it yet, but if there's
> a demand then it's definitely doable.
> 
> -- 
> Colin Percival
> Security Officer Emeritus, FreeBSD | The power to serve
> Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid