<div dir="auto"><div><span style="font-family:sans-serif">Something needs to be able to read that file, so there's not much difference to a peppered hash, and rate limiting at the data layer is much less useful for security than at the application layer.</span></div><div dir="auto"><span style="font-family:sans-serif"><br></span></div><div dir="auto"><span style="font-family:sans-serif">You also still need to salt or pepper, as permuting doesn't hide frequencies.</span></div><div dir="auto"><span style="font-family:sans-serif"><br></span></div><div dir="auto"><div dir="auto"><div dir="auto" style="font-family:sans-serif"><br></div><div dir="auto" style="font-family:sans-serif">Mark</div></div><br><div class="gmail_extra" dir="auto"><br><div class="gmail_quote">On 14 Mar 2017 04:24, "Tom Mitchell" <<a href="mailto:mitch@niftyegg.com">mitch@niftyegg.com</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Mon, Mar 13, 2017 at 1:58 AM, Robin Wood <<a href="mailto:robin@digininja.org">robin@digininja.org</a>> wrote:<br>
><br>
....<br>
<div class="quoted-text">>><br>
>> Again the security depends on the difficulty of exfiltrating such a large<br>
>> data set, not on a short key that that is relatively easy to steal.<br>
><br>
<br>
</div>Also a single file would be opened by a very short list of processes.<br>
Access control lists apply. Even advisory access control can be used to<br>
trigger alerts.<br>
<br>
Also the number of active "open" states can also be watched.<br>
<br>
So the OS services also come to play.<br>
<div class="elided-text"><br>
<br>
--<br>
T o m M i t c h e l l<br>
______________________________<wbr>_________________<br>
The cryptography mailing list<br>
<a href="mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a><br>
<a href="http://www.metzdowd.com/mailman/listinfo/cryptography" rel="noreferrer" target="_blank">http://www.metzdowd.com/<wbr>mailman/listinfo/cryptography</a></div></blockquote></div><br></div></div></div>