Thank you for your comment, it is very insightful. I will attempt to address the five points you raised.

1) What you describe would indeed offer similar benefits and performance, however we considered it to be architecturally more complicated to integrate, since the pre-IDA data transformation would have to affect the state of the post-IDA transformation of individual slices. Using the AONT there is a single location which we can apply the transformation on the entire data source.

2) One of the key pieces of our technology is the concept of Information Dispersal, which ideally occurs over geographic distances. Before we integrated the AONT we still advocated geographic separation between sites for improved independence of failures and outages. With AONT is offers a very strong security story, as storage of slices is split between distinct sites, and the hardware is managed by different people. Under this configuration, the process is likely better than than typical keyed-encryption deployments.

3) One technology we are looking into to deal with lost disks is harddisk encryption based on a key stored in a TPM chip. This greatly simplifies the process for RMA’ing defective disks, the disks store no useful information and even with all N disks, one would learn nothing. Further when it comes to retiring an entire set of old machines, the key can be quickly erased. Even short of this, AONT offers a lot of advantages, especially in a geographically dispersed configuration. If an attacker was dumpster diving for discarded drives, they would have to be lucky enough to find a threshold number of drives which belonged to the same set of N disks. While certainly feasible for a well funded adversary, it is unlikely that a casual dumpster diver would have such luck.

4) Regarding the detection of compromise, when it comes to what an attacker could compel a machine to do anything is possible. However, to foil the plans of an attacker one may institute a data refreshing period. For example, the scheduled might be to read and re-write all data in the system every 6 months. This process of refreshing the data makes old slices an attacker may have compromised obsolete. Therefore it limits the window of time an attacker has to get a threshold number of machines to six months. If one believes a machine has been compromised, that machine ought to be re-imaged, and all peer-slices to the ones stored on that machine should be refreshed as soon as possible.

5) We’ve become aware of the POTSHARDS paper since announcing our technique. While POTSHARDS achieves a similar goal for a key-less encryption system, it was based on information theoretically secure secret sharing schemes. The advantage of information theoretic security is it can never be brute forced. However, the downside is every “share” is going to be the same size as the original data. Therefore in a 10-of-15 configuration, the data size will be 15X the original. Using Reed-Solomon with AONT forms a computationally secure secret sharing scheme. These slices could be brute forced but the difficulty would be equivalent to brute forcing the underlying cipher. The advantage is that each “slice” is only 1/Threshold the size of the original data. So a 10-of-15 configuration would only require 1.5X the storage of the original data. Therefore the level of performance and storage efficiency for our approach is significantly higher than POTSHARDS.

Regarding your final comment, I believe the POTSHARDS paper makes a reasonable case for why key management isn’t strictly required to build a secure system. What you say, however, is that costs are lower to protect a key than to protect data, because keys are smaller in size. I’m not convinced of this, however. Keys are typically smaller than data to make them more manageable, but I don’t think this lowers the cost of securing them. In a typical keyed-encryption system, there will be at least two systems, one for storing keys and another for storing data. However, just because one location is storing encrypted data doesn’t mean it doesn’t have to be secured. The storage location still needs to be secured for availability reasons. If anyone can access the storage location, they could corrupt or destroy that data, making it permanently unavailable.

In a dispersed storage system, there are typically more than two locations that need to be secured, however the more locations the higher the security guarantees for the system. For example, one might choose a 2-of-2 configuration for dispersal, and the security properties and storage overhead would be identical to a typical keyed-encryption system. 2 locations need to be compromised to yield the data, the loss of one location causes the data to be unavailable, etc. However by using a 10-of-10 configurations, while you need to secure 10 locations instead of 2, for an attacker to break confidentiality they would need to compromise 10 locations instead of 2. This affords users more flexibility regarding the level of security they achieve for their data.

Jason

Some of the feedback I received -

- “I agree that the use of something like [bit spitting/IDA] are interesting uses of technology in this space and rightly deserve to be investigated further by industry experts and analysts”.

- “I have been heavily involved in practical implementation of [security} solutions and one of the ongoing debates is about security of proprietary versus published algorithms and the relative merits and trust that should be placed in each. That is why AES, and 3DES before hand, are openly published algorithms with the strength being in the keys and algorithm implementation, and not the secrecy of the algorithm itself.

Clearly the value of IDA goes beyond security, but it’s apparent that IDA could be better explained to the security community in order for the security practitioner to advocate the value proposition to their storage counterparts and LoBs.