Alice wants to store key:value
pairs with Bob.
The goal of the exercise is for Alice to be able to use Bob as a reliable data storage service, even if Bob were untrustworthy.
A (correctly implemented) MAC/AEAD/Signature means Bob cannot tamper with records.
But basic authentication is not sufficient to ensure that Bob returns the correct record, because it does not stop Bob from replaying old records.
Here is an example. Assume that somewhere among key
and value
is a correctly implemented secure authenticator that Alice can use to validate received records:
- Alice sets
key1:value1
with Bob
- Alice later overwrites
key1
and sets key1:value2
with Bob where value2 != value1
- When Alice queries
key1
from Bob, she expects to receive value2
- But Bob could save and replay
value1
- HMAC tag verification will pass because both records were created by Alice
Thus simply authenticating the data is not sufficient.
One naturally reaches for some kind of nonce.
However because it is possible for Alice to lose (or not have) the state and rely on recovering that state from Bob (the whole point of the exercise) we must address the case where Alice has no state and consequently no longer has the most recent nonce. This appears to be the hard part.
How can Alice ensure that she receives the most recent record from Bob?
Other goals/security issues
A malicious Bob can still refuse to store records or delete records. Considering that these are natural events that could occur during benign operation (e.g. Bob runs out of space), it's not clear that preventing these capabilities is strictly necessary or beneficial.
There may be other goals regarding secure storage/backup that I am unaware of. An explanation or paper covering the standard formalized security notions of this subfield would great.