Unvanish: The Remarkable Peristence of Bits

The television show Mission Impossible began with Jim Phelps receiving instructions from a recording that subsequently self-destructs. This communication has strong privacy guarantees, but is not invulnerable to attack. The instructions can be overheard and even recorded. Instructions were often recieved in obscure locations, but it would be possible for someone other than Jim Phelps to listen to them. The strongest guarantee of the Mission Impossible instructions is that after Jim Phelps hears his instructions, no one else will hear them. Were it to exist, a technology capable of reconstructing the instructions from the smoking remnants of the recording would jeopardize the success of tasks given to the Impossible Mission Force. Vanish is a system that purports to provide guarantees similar to those of the Mission Impossible instructions for digital data like email, photographs, and video [7]. Users transform their data into a Vanish data object (VDO), which is encrypted with a randomly generated key whose only persistent copy is stored in a distributed hash table (DHT). The key is randomly generated from a large space, so it is difficult to guess. The user specifies an expiration time for the VDO. The DHT has a policy to delete data after 8 hours. To implement any expiration time greater than 8 hours, the Vanish system must refresh the key by reading it out of the DHT and storing it back. Because the key becomes permanently unavailable after the DHT expires it, expiration of the key should make it impossible to decrypt the VDO. The most important guarantee provided by Vanish is that any VDO obtained after its expiration time should not be readable. This paper demonstrates a system, called Unvanish, that violates the Vanish guarantee. Anyone obtaining a VDO after its expiration time can decrypt it using Unvanish. Unvanish requires a constant, but modest investment in processing and storage. The security of the Vanish system hinges crucially on one important assumption: that an attacker (without governmentscale resources) will not be able to crawl or scrape the majority of the data stored on the underlying DHT. If an attacker were able to collect and store (almost) all of the data on the DHT, then data meant to “vanish” would be persistent. One could simply consult the stored DHT to decrypt a VDO after the timeout period. Assuming that scraping a DHT is prohibitively difficult is potentially problematic for two reasons.