Re: [SAGE] Long lived, cheap data storage

[Brad Knowles <brad@shub-internet.org>]

On 10/7/07, Mark R. Lindsey wrote:

>  My favorite is (S-3)(C-2)(A-2)(I-1)(L-3). I.e., buy cheap web hosting
>  service storing my files in plain sight of Google, use encryption with
>  a readily-available tool like GnuPG, expect the web hosting folks to keep
>  the files in tact, and just plan to migrate to another provider when they
>  go under. A key feature here is cheapness -- web hosting is very cheap.

Even if you're just storing important documents, and no audio, video, 
photos, or other forms of visual or auditory media files, you can 
quickly run up into storage requirements that can get pretty 
expensive.

Most hosting companies are massively, massively oversubscribed on 
their storage and their network bandwidth, and if even a tiny 
fraction of people started doing what you're talking about then 
there's absolutely no way that they could possibly continue to stay 
in business.

Moreover, just the amount of network capacity required to move that 
much data would be prohibitive, due to the bandwith-delay product 
nature of TCP/IP.

>  -> How long would GnuPG encryption last me? After all, single-DES
>  was considered useful once. What's the expected lifespan of
>  readily-available encryption software?

What options does GnuPG give you for symmetric encryption?  Triple-DES?  IDEA?

My understanding is that you can now buy commercial quantum crypto 
systems (from three different sources no less), and quantum 
cryptography throws out the window everything we ever knew about 
classicial cryptography.  What used to be an exponential factor 
increase in time when we increase our key size by a single bit, now 
becomes a linear factor increase in time (well, for all intents and 
purposes).

In other words, all classical cryptography is pretty much useless in 
the face of quantum cryptography.


So, what is your threat model?  Can they afford to buy a computer 
with a commercial quantum cryptography system?  If so, then they can 
read anything you've got there, and relatively easily.


Also keep in mind that any data you may have stored on a service 
provider system is highly vulnerable to being handed over to anyone 
who pretends to be a law enforcement officer, at the drop of a hat. 
They don't even need to pretend to promise to give them a National 
Security Letter.  Or the computers could be compromised by criminals 
or automated attack software that originated from criminals.

So, could any of them be considered likely to have a computer with a 
commercial quantum crypto chip?

>  -> Is it reasonable to depend on the provider to keep files intact? If
>  not, I've got to do replication of some sort -- probably replicating
>  the data to a different storage provider.

No, I wouldn't depend on this.  Even if you don't do anything else, 
I'd replicate to at least two or three more providers, preferably at 
least some that exist in countries that would be more likely to be 
resistant to casual snooping by people pretending to be law 
enforcement officers.

-- 
Brad Knowles <brad@shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>