[cap-talk] Why protected capabilities matter
Karp, Alan H
alan.karp at hp.com
Tue Jul 17 18:42:58 EDT 2007
Jed wrote:
>
> If you don't believe so, perhaps you can give me an example
> of a situation where
> the isomorphism (c-list index <=> encrypted capability data)
> fails. That is, where
> the descriptor based system can know more, can protect more,
> or whatever.
>
You have substituted unguessability for unforgeability. Although
computationally infeasible, it is technically possible for a program to
compute a set of bits that represent an encrypted capability. There is
no such guessing attack with c-lists. While this appears to be a purely
theoretical difference, the encrypted capability scheme could be
vulnerable to a weakness in the encryption algorithm.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list