[messaging] Giving new devices access to old messages

Michael Rogers michael at briarproject.org
Tue May 12 11:23:10 PDT 2015

On 11/05/15 17:00, Trevor Perrin wrote:
> I agree this is straightforward.  It's just two basic ideas:
>  - clients passing around a (symmetric key, hash) that decrypts and
> authenticates some server-stored file
>  - recursively storing (symmetric key, hash) "read-caps" inside
> server-stored files to construct directory trees, so that giving
> someone a single read-cap recursively grants access to a larger number
> of files
> Tahoe explains this well and has a nice term for it.  If there are
> earlier/better examples I'd like to see them.

The earliest system I know of that did something like this was Freenet.

A content hash key (CHK) in Freenet is like a read-cap. It consists of
the hash of a block of ciphertext and a symmetric key for decrypting it.
Nodes storing and forwarding the data only know the hash, not the key.
(Originally the key was derived from the plaintext, so independently
published copies of the same file would produce the same ciphertext, but
I believe that was changed to protect the anonymity of publishers.)

Large files can be represented as hash trees, where the leaf blocks
contain data and the non-leaf blocks contain CHKs for their children.

Mutable directories are implemented using signed subspace keys (SSKs)
based on public/private key pairs. I don't know whether immutable
directories based on CHKs also exist, but in theory they're possible.

Tangler and SFS, from around the same time, had hash-based directory
hierarchies, but I can't remember whether they separated the decryption
key from the hash like Freenet did.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150512/15a95a87/attachment.sig>

More information about the Messaging mailing list