[cap-talk] network level designation and authorization

Mark S. Miller markm at cs.jhu.edu
Thu Jun 8 19:14:19 EDT 2006 

coderman wrote:
> also, in the CatTP parameter descriptions[1] i see mention that a
> nonce "May be guessable, but must not accidentally collide.".
> 
> i have always assumed that the unguessability of nonces was central to
> the security of the capabilities / resources they are used to
> represent (and also why i am so fond of truly random number generators
> in hardware).  is this an oversight or is there some aspect of the
> CatTP protocol which makes high order analysis / statistical attacks
> against the nonces used not a problem?
> 
> thanks again to all for the feedback.
> 
> 1. http://www.erights.org/elib/distrib/captp/types.html


That page describes both the type "Nonce", which is indeed guessable, and the
type "SwissNumber", which must not be guessable. We represent the Nonce as a
64-bit value so no one will mistakenly assume that we need it to be
unguessable. (With a better protocol, 16 bits would probably be adequate.) The
SwissNumber is 128 bits. These are both used by CapTP as described (poorly,
sorry) at <http://www.erights.org/elib/distrib/captp/>. The use we make of the
SwissNumber, for dereferencing SturdyRefs and "captp://..." offline
capabilities, does indeed require it to be unguessable. The use we make of the
Nonce, for online 3-vat introduction, does not require it to be unguessable.

The Nonce-based 3-vat introduction protocol is illustrated in slides 21-33 of
<http://www.cypherpunks.to/erights/talks/thesis/defense.pdf>. It is an
adaptation of Alan Karp's proposed but never implemented Client Utility
introduction protocol. (Adapting this protocol to provide pipelining and
E-Order is novel with E.)

The "provide" message on slide 22 is actually the "provideFor" message of
<http://www.erights.org/elib/distrib/captp/>. The tuple sent to Bob in slide
22, representing the serialization of Alice's reference to Carol, is actually
a Promise3Desc or Far2Desc object of
<http://www.erights.org/elib/distrib/captp/>. The "accept" message of slide 23
is actually the "acceptFrom" message of
<http://www.erights.org/elib/distrib/captp/>.

The nonce can be guessable because the table indexed by this nonce, shown in
slides 28-31, is VatC's table of those capabilities that VatC had made
earlier available to VatA that VatA had instructed VatC to make available to
VatB. If VatB guesses one of these nonces, then he's only able to obtain
access to something he already had a right to access anyway.

If this remains unclear, as it probably does, please ask and I'll try to clarify.

-- 
Text by me above is hereby placed in the public domain

     Cheers,
     --MarkM

More information about the cap-talk mailing list