Researchers at the University of Texas at Austin, Princeton and the University of Michigan claim to have broken the Vanish security system, a research prototype that seeks to protect the privacy of online data and data communications by making it unreadable after a period of time.
"We . . . have broken the security guarantees of the Vanish system with a system we call Unvanish," according to the Unvanish Web site. The Unvanish team includes Scott Wolchok, a graduate student at the University of Michigan; Owen S. Hofmann, a PhD student in computer science at the University of Texas at Austin; Nadia Heninger, a graduate student in theoretical computer science at Princeton; Ed Felten, Director of the Center for Information Technology Policy and a Professor of Computer Science and Public Affairs at Princeton; Alex Halderman, assistant professor of electrical engineering and computer science at the University of Michigan; Chris Rossbach, Post-doctoral researcher at the Computer Sciences Department at the University of Texas at Austin; Brent Waters, Assistant Professor, University of Texas at Austin; and Emmett Witchel, Assistant Professor of Computer Science at the University of Texas at Austin.
"The attack was actually rather straightforward," said assistant professor Waters in an email message to a reporter.
The Unvanish team released a new paper describing their work on Monday (September 28), entitled "Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs."
In a blog post, Professor Felton called the paper "the next chapter in an interesting story about the making, breaking and possible fixing of security systems."
The Vanish and Unvanish teams are playing a cat-and-mouse game of developing ever more sophisticated enncryption systems and then finding and exposing their weaknesses. Their work is evolving quickly. The Vanish prototype, developed at the University of Washington, was updated with new defenses on September 20. Vanish integrates cryptographic techniques with global-scale, P2P, distributed hash tables (DHTs) in an approach that involves self-destructing data. It is one of several encryption schemes that have attracted recent interest.
The Unvanish team targeted Vanish's new defenses in its latest attacks. "The proposed new defenses are interesting and merit further investigation, but, for the time being, Vanish's security should be viewed with skepticism," the Unvanish team said in its September 28 update. "Whether DHTs are the best choice for key-share storage remains an open question."