From: Zooko O'Whielacronx Date: Wed, 22 Jul 2009 03:17:50 +0000 (-0700) Subject: docs: introducing "provider-independent security"; Nathan Wilcox gave me good advice... X-Git-Tag: allmydata-tahoe-1.5.0~14 X-Git-Url: https://git.rkrishnan.org/uri?a=commitdiff_plain;h=70beaeea4307a0c1171865cb8d240fdaa7b3d552;p=tahoe-lafs%2Ftahoe-lafs.git docs: introducing "provider-independent security"; Nathan Wilcox gave me good advice on how to be more specific in terminology when making security claims so as not fit in with the background noise of overblown and indefensible claims that is always buzzing in the security world --- diff --git a/docs/about.html b/docs/about.html index d1ead0ad..820598e4 100644 --- a/docs/about.html +++ b/docs/about.html @@ -9,10 +9,11 @@

Welcome to Tahoe-LAFS

-

Welcome to Tahoe, the Least-Authority Filesystem. Tahoe-LAFS is the only secure cloud storage system. All of the source code is available under a choice of two Free Software, Open Source licences.

-

The only secure cloud storage system?

-

Every seller of cloud storage services will tell you that their service is secure. But what they mean by that is something fundamentally different from what we mean. What they mean by "secure" is that they try really hard not to misuse the power to read or alter your data. This turns out to be hard. Bugs, misconfigurations, and operator error can accidentally expose your data to another customer or to the public, or can corrupt your data. Criminals routinely gain illicit access to corporate servers. Most insidiously of all, employees of the service provider itself may read or alter your data out of carelessness, avarice, or mere curiousity. The most conscientious of these service providers spend considerable effort and expense trying to mitigate these risks.

-

What we mean by "security" is something different. The service provider never has the ability to read or alter your data in the first place. Never. If you store your data with Tahoe-LAFS, then all of the threats described above are non-issues to you. Not only is it easy for the service provider to avoid exposing or corrupting your data, but in fact they couldn't do so if they tried.

+

Welcome to Tahoe, the Least-Authority Filesystem. Tahoe-LAFS is the first cloud storage technology with provider-independent security.

+ +

provider-independent security?

+

Every seller of cloud storage services will tell you that their service is secure. But what they mean by that is something fundamentally different from what we mean. What they mean by "secure" is that they try really hard not to misuse the power to read or modify your data. This turns out to be hard. Bugs, misconfigurations, and operator error can accidentally expose your data to another customer or to the public, or can corrupt your data. Criminals routinely gain illicit access to corporate servers. More insidiously, employees of the service provider itself may read or modify your data out of carelessness, avarice, or mere curiousity. The most conscientious of these service providers spend considerable effort and expense trying to mitigate these risks.

+

What we mean by "security" is something different. The service provider never has the ability to read or modify your data in the first place. Never. If you use Tahoe-LAFS, then all of the threats described above are non-issues to you. Not only is it easy for the service provider to avoid exposing or corrupting your data, but in fact they couldn't do so if they tried. This is what we call provider-independent security.

All that, and we don't sacrifice convenience or ease-of-use! Here's how it works.

@@ -22,7 +23,7 @@

The filesystem is encrypted and spread over multiple servers in such a way that it continues to function even when some of the servers are unavailable, malfunctioning, or malicious.

A "storage grid" is made up of a number of storage servers. A storage server has local attached storage (typically one or more hard disks). A "gateway" uses the storage servers and provides access to the filesystem over HTTP(S) or (S)FTP.

-

Users do not rely on storage servers to provide confidentiality nor integrity for their data -- instead all of the data is encrypted and integrity-checked by the gateway, so that the servers can neither read nor alter the contents of the files.

+

Users do not rely on storage servers to provide confidentiality nor integrity for their data -- instead all of the data is encrypted and integrity-checked by the gateway, so that the servers can neither read nor modify the contents of the files.

Users rely on storage servers for availability. The ciphertext is erasure-coded and distributed across N storage servers (the default value for N is 10) so that it can be recovered from any K of these servers (the default value of K is 3). Therefore only the simultaneous failure of N-K+1 (with the defaults, 8) servers can make the data unavailable.

In the typical deployment mode each user runs her own gateway on her own machine. This way she relies on her own machine for the confidentiality and integrity of the data.

An alternate deployment mode is that the gateway runs on a remote machine and the user connects to it over HTTPS or SFTP. This means that the operator of the gateway can view and modify the user's data (the user relies on the gateway for confidentiality and integrity), but the user can access the filesystem with a client that doesn't have the gateway software installed, such as an Internet kiosk or cell phone.