Cryptography Reference
In-Depth Information
10.5.1 Eternity Server
One solution is to split up the document into many pieces and store
these piece onmany computers, a suggestion that Ross Anderson ex-
plored in his design for an
Eternity server
.[And96a] The design out-
lines several of the tricks that might allow a network of
n
machines to
store
files and allow the file's owner to both pay the cost of storage
and recover the files when necessary.
In the system, each file,
m
F
i
,isgivenaname,
N
i
, and stored on a
set of servers,
{S
j
,S
k
,...}
with these steps:
1. A general key,
key
,ischosen.
2. The key for encrypting the data for server
S
j
is computed from
h
S
j
)
is some function that gen-
erates a name for a server like the DNS system.
(
key
+
name
(
S
j
))
where
name
(
3. A unique name for each file is computed with
h
(
N
i
, name
(
S
j
))
.
The data is stored under this unique name on
S
j
.
4. A randomamount of padding is added to
F
i
in a way that can be
easily removed. It might consist of appending the true length
of the file to the beginning of the file and then adding extra
random information to the end.
5. The file is encrypted for
S
j
with this key and sent to the server.
This stores a separate copy on the set of servers. Each copy is
encrypted with a different key and each copy has a different length.
Another option is to split each file up into smaller, standard sizes,
a technique that eliminates the need for padding while introducing
more complexity. It is also possible to add the secret sharing tech-
nique from Chapter 4 to add the requirement that any
parts of the
file must be recovered before the file can be found. This would elim-
inate some of the need for encryption.
Anderson imagines paying the server owners, a process that can
involve increasingly complex amounts of anonymous payment. He
imagines that each server might submit a bill every so often to some
central payment office. This could be audited to prevent an errant
server from claiming to be storing a file without actually doing so.
Onetechniquewouldbeforthecentralofficetosendtheservera
challenge nonce,
k
c
, and ask the server to compute a keyed hash,
h
F
i
. This audit would
require the central auditing office have a copy of
(
c, F
i
)
to prove that they know the data in
F
i
and the key used
to scramble it,
. If the auditing passes, the payment office would
send the right money to the server.
key
