Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
That's a really interesting idea. I'd love to read your paper when it's available. On Thu, Jun 6, 2013 at 10:31 AM, Ralph Holz h...@net.in.tum.de wrote: Hi, I am currently doing a write-up that dives into some of the more formal aspects of authentication. In particular, I am wondering when exactly it was formally proved that two entities A and B cannot establish a secure channel between them without such a secure channel having been available to them at a previous point in time. Or, in other words, you cannot authenticate without already having authenticated credentials for that purpose. To the best of my knowledge, the earliest such proof is the one by Colin Boyd: Colin Boyd. Security architecture using formal methods. IEEE Journal on Selected Topics in Communications. 1993. Does anyone know of an earlier such (formal) proof? Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
Isn't it obvious? (I mean, there is some value in formalizing the model, but still...) Consider authentication of A to B. If there is nothing distinguishing (impersonator) Mallory from (honest) A, then anything A can do can also be done by Mallory. On Thu, Jun 6, 2013 at 1:31 PM, Ralph Holz h...@net.in.tum.de wrote: Hi, I am currently doing a write-up that dives into some of the more formal aspects of authentication. In particular, I am wondering when exactly it was formally proved that two entities A and B cannot establish a secure channel between them without such a secure channel having been available to them at a previous point in time. Or, in other words, you cannot authenticate without already having authenticated credentials for that purpose. To the best of my knowledge, the earliest such proof is the one by Colin Boyd: Colin Boyd. Security architecture using formal methods. IEEE Journal on Selected Topics in Communications. 1993. Does anyone know of an earlier such (formal) proof? Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
Consider authentication of A to B. If there is nothing distinguishing (impersonator) Mallory from (honest) A, then anything A can do can also be done by Mallory. You still need to know that you want to communicate with someone named Mallory, which is a piece of information that predates the communication. That piece of information was communicated thus starting a chain of infinite regress. Instead consider the situation in which you want to communicate with someone that have solved a particular discrete log problem which you have also solved. You don't care who that person is, just that they solved that problem (their ability to solve the problem is their identity). That is, you assume a priori that such a person if someone you want to have a chat with (maybe to ask if you both used the same method or maybe you are throwing a lavish dinner party for discrete log problem solvers). It seems possible to communicate with such a person or group of people without an earlier secure communication. If the above scenario seems absurd consider the following practical situation: Alice has just found a fast way to factor primes. She may not have been the first person to do so, in fact Bob has also discovered a method. Alice wants to communicate with someone, who turns out to be Bob, that can also do this so they can work together listening to all of Eve's messages (Alice listens on even days, Bob listens on odd days). Alice coordinate with Bob (and other Bobs) without Eve learning what is being said, even if she actively MITMs (WITM, EITM?) all communication. Does this contradict the above proof? On Thu, Jun 6, 2013 at 2:35 PM, Ralph Holz h...@net.in.tum.de wrote: Hi, Of course it is obvious. But obvious does not equal proof. I am surprised this proof wasn't given until 1993. Ralph Isn't it obvious? (I mean, there is some value in formalizing the model, but still...) Consider authentication of A to B. If there is nothing distinguishing (impersonator) Mallory from (honest) A, then anything A can do can also be done by Mallory. On Thu, Jun 6, 2013 at 1:31 PM, Ralph Holz h...@net.in.tum.de mailto:h...@net.in.tum.de wrote: Hi, I am currently doing a write-up that dives into some of the more formal aspects of authentication. In particular, I am wondering when exactly it was formally proved that two entities A and B cannot establish a secure channel between them without such a secure channel having been available to them at a previous point in time. Or, in other words, you cannot authenticate without already having authenticated credentials for that purpose. To the best of my knowledge, the earliest such proof is the one by Colin Boyd: Colin Boyd. Security architecture using formal methods. IEEE Journal on Selected Topics in Communications. 1993. Does anyone know of an earlier such (formal) proof? Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 tel:%2B49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ___ cryptography mailing list cryptography@randombit.net mailto:cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
My suggestion is that you research the history of (cryptographic) authentication, mutual authentication (thanks Wikipedia for that phrase) and MITM. (Maybe you already have done that, though?) I can at least point out that spy agencies have known for many many decades that you can not securely and secretly communicate with anybody else without preparing it in advance. In some way or another, a secret of some sort must be shared with the intended recipient and only with him. (This has been discussed in the comments on Schneier's blog, for example.) If there is no unique knowledge that only your recipient has, you can't send a message that *only* he can understand. To what extent/how thoroughly do you need this to be proven in the kind of documents you're looking for? 2013/6/6 Ralph Holz h...@net.in.tum.de Hi, I am currently doing a write-up that dives into some of the more formal aspects of authentication. In particular, I am wondering when exactly it was formally proved that two entities A and B cannot establish a secure channel between them without such a secure channel having been available to them at a previous point in time. Or, in other words, you cannot authenticate without already having authenticated credentials for that purpose. To the best of my knowledge, the earliest such proof is the one by Colin Boyd: Colin Boyd. Security architecture using formal methods. IEEE Journal on Selected Topics in Communications. 1993. Does anyone know of an earlier such (formal) proof? Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
I assume you're talking about confidentiality and authenticity. If all you care about is authenticity then you can proceed under the assumption that the channel /may/ be authentic and then later perform the authentication to retrospectively authenticate it. This is obviously duh, but it's also how modern protocol negotiation works. Matt On Jun 6, 2013, at 2:32 PM, Jonathan Katz jk...@cs.umd.edu wrote: Isn't it obvious? (I mean, there is some value in formalizing the model, but still...) Consider authentication of A to B. If there is nothing distinguishing (impersonator) Mallory from (honest) A, then anything A can do can also be done by Mallory. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
Consider a network of N nodes each given an id from 1 to N, each node uses a protocol where any message it receives it decrypts with it's id. All messages get sent to every node instantly, and decryption has a very high cost. Node A wants to send a message to another node (node A just chooses an id randomly). Node A encrypts the message with the other nodes ID and sends it into the network. Node A has just securely communicated with another node (let say node B) without any prior secure channels and for another node to break that communication they must try ~n/2 decryptions. Of course A is blindly communicating with node B, but as long as node B wants the communication to be secure, the communication is secure and it requires no prior secure communications other than the protocol itself. On Thu, Jun 6, 2013 at 3:12 PM, Matthew Green matthewdgr...@gmail.comwrote: I assume you're talking about confidentiality and authenticity. If all you care about is authenticity then you can proceed under the assumption that the channel /may/ be authentic and then later perform the authentication to retrospectively authenticate it. This is obviously duh, but it's also how modern protocol negotiation works. Matt On Jun 6, 2013, at 2:32 PM, Jonathan Katz jk...@cs.umd.edu wrote: Isn't it obvious? (I mean, there is some value in formalizing the model, but still...) Consider authentication of A to B. If there is nothing distinguishing (impersonator) Mallory from (honest) A, then anything A can do can also be done by Mallory. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
How do the does node A know node B's ID and that the ID is really the one of the B he/she wants to communicate with? Isn't the ID really just the shared secret (credentials) Ralph mentions in his question? --Felix From: cryptography [mailto:cryptography-boun...@randombit.net] On Behalf Of Ethan Heilman Sent: Thursday, June 06, 2013 16:04 To: Matthew Green Cc: Crypto List Subject: Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel Consider a network of N nodes each given an id from 1 to N, each node uses a protocol where any message it receives it decrypts with it's id. All messages get sent to every node instantly, and decryption has a very high cost. Node A wants to send a message to another node (node A just chooses an id randomly). Node A encrypts the message with the other nodes ID and sends it into the network. Node A has just securely communicated with another node (let say node B) without any prior secure channels and for another node to break that communication they must try ~n/2 decryptions. Of course A is blindly communicating with node B, but as long as node B wants the communication to be secure, the communication is secure and it requires no prior secure communications other than the protocol itself. On Thu, Jun 6, 2013 at 3:12 PM, Matthew Green matthewdgr...@gmail.commailto:matthewdgr...@gmail.com wrote: I assume you're talking about confidentiality and authenticity. If all you care about is authenticity then you can proceed under the assumption that the channel /may/ be authentic and then later perform the authentication to retrospectively authenticate it. This is obviously duh, but it's also how modern protocol negotiation works. Matt On Jun 6, 2013, at 2:32 PM, Jonathan Katz jk...@cs.umd.edumailto:jk...@cs.umd.edu wrote: Isn't it obvious? (I mean, there is some value in formalizing the model, but still...) Consider authentication of A to B. If there is nothing distinguishing (impersonator) Mallory from (honest) A, then anything A can do can also be done by Mallory. ___ cryptography mailing list cryptography@randombit.netmailto:cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
From the new Washington Post Article According to a separate “User’s Guide for PRISM Skype Collection,” that service can be monitored for audio when one end of the call is a conventional telephone and for any combination of “audio, video, chat, and file transfers” when Skype users connect by computer alone. Google’s offerings include Gmail, voice and video chat, Google Drive files, photo libraries, and live surveillance of search terms. http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story_1.html On Sun, May 26, 2013 at 6:32 AM, ianG i...@iang.org wrote: On 26/05/13 03:31 AM, James A. Donald wrote: On 2013-05-26 2:13 AM, Eric S Johnson wrote: Sauer: We answer to this question: We provide a safe communication option available. I will not tell you whether we can listen to it or not. In other words, no evidence there, either. Oh come on. We will not tell you tells us. This is the problem with non-disclosure. It tells us, but what does it tell us? For my money, Mr Sauer has told us that Skype is /preserving the option/. He doesn't tell us who Skype is listening to or when, it is even worse than that: they are preserving the option for anyone they so desire. People who hold an option do so because they can benefit from it, because options are not free. So Skype have decided that someone needs to listen, they will get a benefit, and they'll decide who that is, when and if [0]. The curious thing to take out of this is, for me: how should a security company act? If they act like Skype acted, people won't trust them. So how is it that a security company can deliver security if they themselves cannot be trusted? Consider two examples. Apple are mostly trusted, but they never tell us what they do in security. Verisign's CA model was an exercise in non-trust, because they told us in glorious 100page detail, and nobody had a clue what the deal was. What's the difference here? It seems to me that we should be able to determine a better way to be a trusted security company. Or, maybe there is no principle to be extracted here, maybe the market for security trust has no single way? We've been doing this for 20 years now, and it seems we still don't know. iang [0] Observers may point to limitations in the ToS. But if you need to point to ToS, then you are simply proving your deception. Does anyone know when the ToS were changed to permit intercept and listening? If they've changed ToS to permit e2e, where it wasn't permitted before, without telling us that e2e is over, then they've also changed them to permit whatever they want, and any new uses will likewise see a change. __**_ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/**mailman/listinfo/cryptographyhttp://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography