Introduction
第二部分的作业,主要是共享和取消共享,需要实现共享链,比如Alice共享文件A给Bob,Bob也可以共享文件A给Carol。当Alice取消共享给Bob的文件A时,也会自动取消Bob共享给Carol的文件A。此外需要考虑各种各样的攻击,跑过包括上一次在内的全部测试集。
Part 2: Adding complex features
Question 2 Sharing
A file store becomes much more interesting when you can use it to share files with your collaborators. Implement the sharing functionality by implementing the methods share() and receive_share().
When Alice wants to share a file with Bob, she will call msg = alice.share(“bob”, filename). Alice will then pass Bob msg through an out-of-band channel (e.g., via email). You may not assume that this channel is secure. A man-in-the-middle might receive or modify the message after Alice sends it but before Bob receives it. After this, if Bob wishes to accept the file, he will call bob.receive share(“alice”, newfilename, msg). Bob should now be able to access Alice’s file under the name newfilename. In other words, Alice accesses the file under the name filename; Bob accesses it using the name newfilename.
You can only send one message, msg, and it will be sent only once. msg must be a string in python. During grading, we will pass this message from one client to another on your behalf.
Property 3 (Sharing)
After m = a.share(“b”, n1); b.receive share(“a”, n2, m), user b should now have access to file n1 under the name n2. Every user who this file has been shared with (including the owner) should see any updates made to this file immediately. To user b, it should be as if this file was created by him: he should be able to read, modify, or re-share this file.
This also changes Property 1 and Property 2 from above. A download() operation should return the last value written by anyone with access to the file (the owner, or anyone with whom the file was shared). Only those with access to the file should be able to read or modify it.
Sharing is tricky. Note that both filenames refer to the same underlying file, and any writes performed by anyone who has access to the file should be immediately visible to all other users with access to the file. Sharing should be transitive. If Alice shares a file with Bob who shares it with Carol, any changes to this file by any of the three should be visible to all three immediately. Sharing a file with someone who has already received it results in unspecified behavior (you may do whatever you choose). It is okay if the storage server learns which other users you have shared a file with.
We require a minimal amount of efficiency: assuming a file (of size m) is shared with n users, and Alice shares the file with a new user, you may perform a linear (in n + m) number of either public or private key encryption operations. This is simple to achieve: any reasonable scheme should be at least this efficient. It is possible to do significantly better—and you are free to do so if you choose—but we will not evaluate you on this.
Your client may only keep state for performance reasons. Your implementation must work if your client is restarted in between every operation. Any state maintained on your client must be able to be reconstructed from data that exists on the server. Your clients may not directly communicate with each other.
Again, you do not need to worry about rollback attacks with sharing. The server may rollback state and remove a client from receiving updates. However, this should only be possible if it is a complete reset to an old state.
Question 3 Efficient Updates
For this question, you must efficiently handle very large files—potentially multiple gigabytes long. Design and implement a solution for efficiently updating files that are already stored on the server.
This makes maintaining confidentiality and integrity much more difficult. Be aware that when the server is malicious, it can perform arbitrary actions at arbitrary points in time during your execution. For example, you cannot assume that two consecutive calls to server.get(f) will return the same value.
You do not need to handle the case where two valid users are interacting with the server simultaneously: you can assume only one user will interact with the server at any point in time. (That is, you do not need to worry about implementing locking.)
The requirements are exactly the same as Question 1, except that now we want your solution to be efficient when making a small update to a large file.
By efficiency, we are referring the amount of data that must be transferred over the network connection to the storage server. By “update”, we are referring to the case where the user invokes upload(f, v2) on a file f that was previously uploaded and whose previous contents were v1. Your solution only needs to be efficient for updates that replace some bytes of the file in place.
Question 4 Revocation
Remote collaboration is a difficult thing, and, unfortunately, one of your collaborators has betrayed you, and you can no longer trust them. You realize that you need to revoke their access to your files. Implement the revoke() method, which allows a user to revoke someone else’s access to a given file. You can’t stop them from remembering whatever they’ve already learned or keeping a copy of anything they’ve previously downloaded, but you can stop them from learning any new information about updates to this file.
Only the user who initially created the file may call revoke().
Property 4 (Revocation)
After calling revoke(otheruser, name), otheruser should not be able to observe new updates to name, and anyone with whom otheruser shared this file should also be revoked. Except for knowing the previous contents of name, to otheruser, it should be as if he never had received the file.
This single property has several hidden implications which may not be clear right away.
Suppose that in the past, Alice granted Bob access to file F, and now Alice revokes Bob’s access. Then we want all the following to be true subsequently:
- Bob should not be able to update F,
- Bob should not be able to read the updated contents of F (for any updates that happen after Bob’s access was revoked), and
- If Bob shared the file with Carol, Carol should also not be able to read or update F.
You may not send any messages during revocation
You only need to implement functionality to revoke access from direct children. If Alice shares a file with Bob, and Bob shares the file with Carol, you are not required to allow Alice to revoke Carol’s access. It must work for Alice to revoke Bob’s access.
If Alice shares a file with Bob, and Bob shares the file with Carol, you don’t need to provide a way for Bob to revoke Carol’s access. We will not test this situation: you only need to ensure that the original creator of the file can revoke others.
If Alice shares a file with Bob, and then revokes Bob’s access, it may still be possible for Bob to mount a denial of service (DoS) attack on Alice’s file (by overwriting it with all 0s, or deleting ids), but Alice should never accept any changes Bob makes as valid. She should always either raise an IntegrityError, or return None (if Bob deleted her files).
Summary
Part2部分简直是噩梦,由于Share和Revoke的存在,Part1部分的代码几乎重写了。