Researchers at the University of Washington recently proposed

Vanish [20], a system for creating messages that automatically

“self-destruct” after a period of time. Vanish

works by encrypting each message with a random key and

storing shares of the key in a large, public distributed hash

table (DHT). DHTs expunge data older than a certain age;

after this happens to the key shares, the key is permanently

lost, and the encrypted data is permanently unreadable. Vanish

is an interesting approach to an important privacy problem,

but, in its current form, it is insecure. In this paper,

we defeat the deployed Vanish implementation, explain how

the original paper’s security analysis is flawed, and draw

lessons for future system designs.

We present two Sybil attacks against the current Vanish

implementation, which stores its encryption keys in the

million-node Vuze BitTorrent DHT. These attacks work by

continuously crawling the DHT and saving each stored value

before it ages out. They can efficiently recover keys for more

than 99% of Vanish messages. We show that the dominant

cost of these attacks is network data transfer, not memory usage

as the Vanish authors expected, and that the total cost is

two orders of magnitude less than they estimated. While we

consider potential defenses, we conclude that public DHTs

like Vuze probably cannot provide strong security for Vanish.

Details