Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs

摘要

Researchers at the University of Washington recently proposedrnVanish [20], a system for creating messages that automaticallyrn"self-destruct" after a period of time. Vanishrnworks by encrypting each message with a random key andrnstoring shares of the key in a large, public distributed hashrntable (DHT). DHTs expunge data older than a certain age;rnafter this happens to the key shares, the key is permanentlyrnlost, and the encrypted data is permanently unreadable. Vanishrnis an interesting approach to an important privacy problem,rnbut, in its current form, it is insecure. In this paper,rnwe defeat the deployed Vanish implementation, explain howrnthe original paper's security analysis is flawed, and drawrnlessons for future system designs.rnWe present two Sybil attacks against the current Vanishrnimplementation, which stores its encryption keys in thernmillion-node Vuze BitTorrent DHT. These attacks work byrncontinuously crawling the DHT and saving each stored valuernbefore it ages out. They can efficiently recover keys for morernthan 99% of Vanish messages. We show that the dominantrncost of these attacks is network data transfer, not memory usagernas the Vanish authors expected, and that the total cost isrntwo orders of magnitude less than they estimated. While wernconsider potential defenses, we conclude that public DHTsrnlike Vuze probably cannot provide strong security for Vanish.