[cap-talk] Why protected capabilities matter

Karp, Alan H alan.karp at hp.com
Tue Jul 17 18:42:58 EDT 2007

Jed wrote:
> If you don't believe so, perhaps you can give me an example 
> of a situation where
> the isomorphism (c-list index <=> encrypted capability data) 
> fails.  That is, where
> the descriptor based system can know more, can protect more, 
> or whatever.
You have substituted unguessability for unforgeability.  Although
computationally infeasible, it is technically possible for a program to
compute a set of bits that represent an encrypted capability.  There is
no such guessing attack with c-lists.  While this appears to be a purely
theoretical difference, the encrypted capability scheme could be
vulnerable to a weakness in the encryption algorithm.  

Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029

More information about the cap-talk mailing list