acmeattic-devel team mailing list archive

Thread
Date

Re: Encryption schemes for AcmeAttic

To: Aditya Manthramurthy <aditya.mmy@xxxxxxxxx>
From: Karthik Swaminathan Nagaraj <nkarthiks@xxxxxxxxx>
Date: Sat, 3 Jul 2010 23:59:46 -0400
Cc: Bharath Subramanian <bharath.subramanian@xxxxxxxxx>, acmeattic-devel@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4C2FED88.4040400@gmail.com>

The server software is responsible for maintaining the revisions.

   - A request for a certain revision is processed at the server and the
   final file is sent to the client.
   - Similarly, the server periodically needs to perform maintenance on the
   stored revisions, so that it can support operations to discard unwanted
   intermediate revisions. (Like what we discussed already. A file that is more
   than a week old need not have daily revisions stored - these can be merged
   into a single revision for the week).

For the server to process these locally, it should be able to decrypt the
content safely. (These operations can definitely be achieved by transferring
enough data to the client but that is too costly for the network).
If the server is trusted, it can decrypt these files at runtime and store
them in-memory. After finishing with the file, the memory is just freed (or
even erased for the paranoid people).

Also, from the Mercurial documentation, I noticed that it performs different
mechanisms on diff and compression for storing and network transmission -
runtime decisions are made based on what is found (or predicted) to be
optimal.
Re-encryption can also be performed at the server without client/network
involvement.

I have some interesting thoughts and questions myself:

   - Is it possible to verify or sign the authenticity of the server code?
   (So that the client can trust the server)
   - I imagine generating a user's AES key as a hash (SHA256) of his
   password. This could be securely sent to the server per-transaction, and the
   server could handle all its operations and 'forget' the user's AES key.
   - Even during the maintenance operations, it could be client initiated. I
   still do not want the administrator to be able to view *any* file by just
   logging in to the server.

Does this sell the point that trusting the server to some extent is not so
bad?

On Sat, Jul 3, 2010 at 10:10 PM, Aditya Manthramurthy
<aditya.mmy@xxxxxxxxx>wrote:

> Hi all,
>
> As you all know, there are some proposals for encryption on the wiki at
> http://nkarthiks.info/acmeattic/index.php?title=Encryption
>
> Let's continue discussing here.
>
> I didn't quite follow, Karthik's way of looking at it, in a trusting way of
> admins to not patch up the server s/w. I think we can start from there.
>
> --Aditya
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~acmeattic-devel<https://launchpad.net/%7Eacmeattic-devel>
> Post to     : acmeattic-devel@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~acmeattic-devel<https://launchpad.net/%7Eacmeattic-devel>
> More help   : https://help.launchpad.net/ListHelp
>

-- 
Karthik

Follow ups

Re: Encryption schemes for AcmeAttic
From: Aditya Manthramurthy, 2010-07-04

References

Encryption schemes for AcmeAttic
From: Aditya Manthramurthy, 2010-07-04