W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: [integrity]: latency tradeoffs

From: Mike West <mkwst@google.com>
Date: Wed, 15 Jan 2014 10:16:49 +0100
Message-ID: <CAKXHy=f4c1v6ccyVDUsp_CNTP2CQ62O_EytyXshsq20=tojE1A@mail.gmail.com>
To: Joel Weinberger <jww@chromium.org>
Cc: Adam Langley <agl@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
We have no such syntax. We'd need to come up with something.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Tue, Jan 14, 2014 at 11:51 PM, Joel Weinberger <jww@chromium.org> wrote:

> This is a great point. Are there any cases in CSP currently where we have
> a syntax for describing Merkle trees, or would we need to come up with one?
> I think it definitely makes sense to support such structures.
> --Joel
>
>
> On Tue, Jan 14, 2014 at 12:08 PM, Adam Langley <agl@google.com> wrote:
>
>> Current examples seem to be using a single hash to authenticate a
>> whole resource. However, that requires that the whole resource be
>> buffered before any of it can be used. This extra latency might well
>> outweigh any performance benefits that one might wish to gain by using
>> integrity.
>>
>> This problem isn't fundamental. If we split the resource into chunks
>> then we have long known how to authenticate a number of objects with a
>> single hash using a Merkle tree. Consider a binary tree where the
>> leaves are hashes of chunks and the interior nodes are hashes of their
>> children. (For details, see
>> http://tools.ietf.org/html/rfc6962#section-2.1 or many other sources.)
>>
>> Given a Merkle tree, each chunk in the resource can be proceeded by a
>> logarithmic number of hashes which give all the missing nodes up the
>> tree to the root and, by second-preimage resistance, a single hash in
>> the source document can authenticate any chunk-aligned subset of the
>> resource.
>>
>> The chunk size is the amount of data that must be buffered before
>> being processed. A smaller chunk means lower latency, but more
>> overhead.
>>
>> For resources that aren't accessed with Range requests, we can
>> simplify things a little by assuming that it'll always be received in
>> order.
>>
>> Rather than a balanced binary tree for the Merkle tree, the tree can
>> be made completely unbalanced. Specifically, the left child of every
>> node is a data chunk and the right node (if any) is an interior node.
>> This means that the root hash covers the first chunk and the next
>> interior node. If the second chunk is preceded by this interior node,
>> and so on, then the whole file is secured with only a single hash per
>> chunk.
>>
>> Both of the above require that the resource data itself be altered to
>> add extra data. This means that a resource suitable for integrity
>> cannot be used without it and vice versa. If this is unacceptable in
>> some cases then it's very easy to put a number of hashes straight into
>> the HTML: all the interior nodes of a Merkle tree could be given. The
>> downside is that a large amount of hash data might delay loading of
>> the remainder of the HTML.
>>
>> In short, this means that the attribute should be something like:
>>
>> integrity="8192;unbalanced;progressive;sha-256;6b4j122..."
>>
>> I.e. it contains the chunk size, the tree shape, whether the hashes
>> are inline in the HTML or loaded progressively in the resource data,
>> the hash function and the data itself. (I'm not trying to propose a
>> concrete syntax.)
>>
>>
>> Cheers
>>
>> AGL
>>
>>
>
Received on Wednesday, 15 January 2014 09:17:38 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC