Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
So basically, the way around having one insecure channel is to use so many insecure channels that the same attacker can't control them all. Which IRL means you run around between computers and check if what you published is available under the exact identity/keys you specified, and keep making up new names until you manage to get one of them widely propagated with your own keys, and then you keep using that identity. Note that one of the problems with this is a worse version of domain-squatting - a powerful attacker can register nearly *all* meaningful names faster than most regular people. However, this can be made harder with something like proof-of-work, which interestingly enough things like vanitygen provides right there in the keys - you specify a text string you want in your public key (or it's hash), and it generates keys until it finds a match. People are using this in Bitcoin, and people have done this for Tor .onion addresses. It could also be done for CJDNS and I2P's b32 domain names ([52-base32-characters-of-hash-of-public-key].b32.i2p). Make up a unique name and generate a unique key for it, and it's harder to do a quick MITM on it when you start trying to propagate it. On quantum encryption/key exchange that was mentioned before - that assumes just like any other connection that the MITM wasn't in place before the connection was first put in use. You can detect an attacker that shows up in between you and the node you are directly physically connected to, but if he's already there when you first connects then you can't know the difference. Whatever channel you use to verify the connection, you might as well just use that channel to exchange asymmetric public keys and skip everything quantum. 2013/6/7 Guido Witmond gu...@witmond.nl On 07-06-13 14:50, ianG wrote: On 7/06/13 14:45 PM, Ralph Holz wrote: Hi, What makes the silk road key the real public key is that it is the same key has everyone else uses.- that it is public. This simply falls back to an assertion made by a `trusted' entity, namely the `public', and is thus an authenticated credential. Well, yes or no or maybe. In practice, there is no 'entity' named the public [1]. Looking a bit closer, there are people, many of them. What broad publication allows is a low-cost way to ensure that most people have the same initial secret, and that most examples of any interference with that initial secret are cheaply discovered. PS: Leaving aside the obvious circular definition of trusted entity being one who we trust to do the authentication. In the above example, it reads absurdly: there is no such entity 'public' that decides to do the trusting of the non-existent-entity 'public'. This is what I try to do with my Eccentric-authentication scheme. [1] I make this 'public' more explicit with a global registry. It allows verification that a CA only certifies each Common Name only once. The price of this registry is mostly storage and lookups. A DHT-like storage would be perfect. There are no namecoin-like hashes to calculate. [2] There is no need for users to put *trust* in the global registry. The registry is not in a position to invalidate any certificates, nor create fake certificates. All trust comes from verifying that a CA (still) doesn't sign a Common Name twice. Only a CA is able to forfeit the trust he's earned by signing multiple certificates bearing the same Common Name. Even though the CAs (one for each web site) do not validate a users real identity, this verification of the uniqueness property allows the certificate (and the users' public key) to become an anonymous identity. Use: The idea is that bloggers at an ecca-authenticated blog write signed messages with the message signature attached to their blog entries. The user agent verifies these signatures against the verifiable unique certificate. This allows people to *identify* fellow bloggers by their certificate (Common name). [3] The registry operates as introducer. Once a person has communicated successfully with someone there is no need to look up their certificates at each use. This keeps the load on the registry low and improves scalability. With DNSSEC/DANE in the mix, we have another way around Zooko's Triangle [4] Try it: It's not only theory. I've got two demo sites and a proxy server to stand in for the user. It shows the Local CA bit and anonymous messaging. (notice it doesn't use the global registry idea, yet) [5] With regards, Guido Witmond. PS. This is a protocol to create anonymous accounts where anonymity is important. Don't use it to identify your employees, nor your customers when you run a bank. [1] http://eccentric-**authentication.org/http://eccentric-authentication.org/ [2] http://eccentric-**authentication.org/eccentric-**
Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
On Fri, Jun 07, 2013 at 10:02:51AM +0300, ianG wrote: The big example here is of SSL. In v1 it was vulnerable to MITM, which was theoretically claimed to make it 'insecure'. In practice there was no evidence of a threat, and still little real evidence of that precise threat. Fixing the MITM in SSL v2 caused the utility to fall and costs to skyrocket, which meant that it failed in its overall mission and maintained its credit card mission only by much handwaving and ignoring of other issues. When it comes to browsers, the way SSL/HTTPS has been presented to users is maddening. Every time a user sees the scary unsigned SSL certificate warning we're basically telling the user that their security is worse with SSL than without. I've seen multiple comments on sites like slashdot by sysadmins and programmers who don't understand crypto discouraging the use of HTTPS unless you have a CA-signed certificate because it makes you vulnerable to a MITM attack... when HTTP is vulnerable as well. Somehow people actually have this misunderstanding. What browser vendors should be doing is to display http and https URLs identically in the URL field and focus on the Green URL side of things to make it clear when the connection is actually authenticated. It's probably not a bad idea for a *manually entered* https URL to result in a warning if the certificate is unsigned, but the general case should simply have identical behavior given the identical worst-case security. The PGP world is the same. We would be far better off if we focused on making PGP simple and easy enough that people actually use it; focusing on the web-of-trust does more harm than good. Again protection from passive evesdroppers is a huge improvement on the status quo even without any protection from active evesdroppers. For one thing active evesdroppers leave evidence of their actions. -- 'peter'[:-1]@petertodd.org 002ef32132cbc3d519800a1f348a51b3ee59f9686e52d92d8734 signature.asc Description: Digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
Precisely. You have no way of knowing anything about the alleged identity behind a key without having some form of interaction through a secure channel (like real-world interaction). On Jun 7, 2013, at 3:53 PM, Florian Weimer f...@deneb.enyo.de wrote: Practically speaking, this is true. Maybe I'm a bit naïve, but I expect it's difficult to model such global semantic concerns accurately, including the fact that you cannot actually use public keys as identities because in reality, no one wants to talk to a key. signature.asc Description: Message signed with OpenPGP using GPGMail ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
We're starting to tread into very philosophical territory. I'd argue that users on the Silk Road (sellers especially) are, in fact, authenticated over very informal separate secure channels. One secure channel is that of the Silk Road website itself. By being on the website, it lends some credence to the idea that the owner of the key you are communicating with is who they claim to be. This, it could be argued, is a very fuzzy form of authentication. A second secure channel is the review system on the Silk Road. People reviewing the salesmen, perhaps using crypto to authenticate their reviews, represents a *very* informal kind of certification system/web of trust. This is another authentication channel. It's important to realize that an identity is more than just a name or an ID number. Most authentication systems only care about authenticating names and ID numbers, but other authentication systems (like the informal one used on the Silk Road) is about authenticating the part of someone's alleged identity that says I sell drugs and I won't screw you over somehow. It's not always Alice wants to talk to Bob. Sometimes it's A legitimate drug purchaser wants to talk to a legitimate drug vendor. The names don't matter, so they don't have to be authenticated over a secure channel. So I don't think it's accurate to say that people want to talk to the key. They actually want to talk to a specific thing behind the key. However, instead of wanting to talk to an identity that has the property of being named John Doe or what have you, like we usually do in crypto, they want to talk to an identity that has the property of being a drug salesman. On Fri, Jun 7, 2013 at 9:02 PM, James A. Donald jam...@echeque.com wrote: On 2013-06-08 6:53 AM, Florian Weimer wrote: you cannot actually use public keys as identities because in reality, no one wants to talk to a key. Again, Silk road is a counter example. That is a key that people do want to talk to. __**_ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/**mailman/listinfo/cryptographyhttp://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
That's a really interesting idea. I'd love to read your paper when it's available. On Thu, Jun 6, 2013 at 10:31 AM, Ralph Holz h...@net.in.tum.de wrote: Hi, I am currently doing a write-up that dives into some of the more formal aspects of authentication. In particular, I am wondering when exactly it was formally proved that two entities A and B cannot establish a secure channel between them without such a secure channel having been available to them at a previous point in time. Or, in other words, you cannot authenticate without already having authenticated credentials for that purpose. To the best of my knowledge, the earliest such proof is the one by Colin Boyd: Colin Boyd. Security architecture using formal methods. IEEE Journal on Selected Topics in Communications. 1993. Does anyone know of an earlier such (formal) proof? Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
Isn't it obvious? (I mean, there is some value in formalizing the model, but still...) Consider authentication of A to B. If there is nothing distinguishing (impersonator) Mallory from (honest) A, then anything A can do can also be done by Mallory. On Thu, Jun 6, 2013 at 1:31 PM, Ralph Holz h...@net.in.tum.de wrote: Hi, I am currently doing a write-up that dives into some of the more formal aspects of authentication. In particular, I am wondering when exactly it was formally proved that two entities A and B cannot establish a secure channel between them without such a secure channel having been available to them at a previous point in time. Or, in other words, you cannot authenticate without already having authenticated credentials for that purpose. To the best of my knowledge, the earliest such proof is the one by Colin Boyd: Colin Boyd. Security architecture using formal methods. IEEE Journal on Selected Topics in Communications. 1993. Does anyone know of an earlier such (formal) proof? Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
Consider authentication of A to B. If there is nothing distinguishing (impersonator) Mallory from (honest) A, then anything A can do can also be done by Mallory. You still need to know that you want to communicate with someone named Mallory, which is a piece of information that predates the communication. That piece of information was communicated thus starting a chain of infinite regress. Instead consider the situation in which you want to communicate with someone that have solved a particular discrete log problem which you have also solved. You don't care who that person is, just that they solved that problem (their ability to solve the problem is their identity). That is, you assume a priori that such a person if someone you want to have a chat with (maybe to ask if you both used the same method or maybe you are throwing a lavish dinner party for discrete log problem solvers). It seems possible to communicate with such a person or group of people without an earlier secure communication. If the above scenario seems absurd consider the following practical situation: Alice has just found a fast way to factor primes. She may not have been the first person to do so, in fact Bob has also discovered a method. Alice wants to communicate with someone, who turns out to be Bob, that can also do this so they can work together listening to all of Eve's messages (Alice listens on even days, Bob listens on odd days). Alice coordinate with Bob (and other Bobs) without Eve learning what is being said, even if she actively MITMs (WITM, EITM?) all communication. Does this contradict the above proof? On Thu, Jun 6, 2013 at 2:35 PM, Ralph Holz h...@net.in.tum.de wrote: Hi, Of course it is obvious. But obvious does not equal proof. I am surprised this proof wasn't given until 1993. Ralph Isn't it obvious? (I mean, there is some value in formalizing the model, but still...) Consider authentication of A to B. If there is nothing distinguishing (impersonator) Mallory from (honest) A, then anything A can do can also be done by Mallory. On Thu, Jun 6, 2013 at 1:31 PM, Ralph Holz h...@net.in.tum.de mailto:h...@net.in.tum.de wrote: Hi, I am currently doing a write-up that dives into some of the more formal aspects of authentication. In particular, I am wondering when exactly it was formally proved that two entities A and B cannot establish a secure channel between them without such a secure channel having been available to them at a previous point in time. Or, in other words, you cannot authenticate without already having authenticated credentials for that purpose. To the best of my knowledge, the earliest such proof is the one by Colin Boyd: Colin Boyd. Security architecture using formal methods. IEEE Journal on Selected Topics in Communications. 1993. Does anyone know of an earlier such (formal) proof? Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 tel:%2B49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ___ cryptography mailing list cryptography@randombit.net mailto:cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
My suggestion is that you research the history of (cryptographic) authentication, mutual authentication (thanks Wikipedia for that phrase) and MITM. (Maybe you already have done that, though?) I can at least point out that spy agencies have known for many many decades that you can not securely and secretly communicate with anybody else without preparing it in advance. In some way or another, a secret of some sort must be shared with the intended recipient and only with him. (This has been discussed in the comments on Schneier's blog, for example.) If there is no unique knowledge that only your recipient has, you can't send a message that *only* he can understand. To what extent/how thoroughly do you need this to be proven in the kind of documents you're looking for? 2013/6/6 Ralph Holz h...@net.in.tum.de Hi, I am currently doing a write-up that dives into some of the more formal aspects of authentication. In particular, I am wondering when exactly it was formally proved that two entities A and B cannot establish a secure channel between them without such a secure channel having been available to them at a previous point in time. Or, in other words, you cannot authenticate without already having authenticated credentials for that purpose. To the best of my knowledge, the earliest such proof is the one by Colin Boyd: Colin Boyd. Security architecture using formal methods. IEEE Journal on Selected Topics in Communications. 1993. Does anyone know of an earlier such (formal) proof? Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
I assume you're talking about confidentiality and authenticity. If all you care about is authenticity then you can proceed under the assumption that the channel /may/ be authentic and then later perform the authentication to retrospectively authenticate it. This is obviously duh, but it's also how modern protocol negotiation works. Matt On Jun 6, 2013, at 2:32 PM, Jonathan Katz jk...@cs.umd.edu wrote: Isn't it obvious? (I mean, there is some value in formalizing the model, but still...) Consider authentication of A to B. If there is nothing distinguishing (impersonator) Mallory from (honest) A, then anything A can do can also be done by Mallory. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
Consider a network of N nodes each given an id from 1 to N, each node uses a protocol where any message it receives it decrypts with it's id. All messages get sent to every node instantly, and decryption has a very high cost. Node A wants to send a message to another node (node A just chooses an id randomly). Node A encrypts the message with the other nodes ID and sends it into the network. Node A has just securely communicated with another node (let say node B) without any prior secure channels and for another node to break that communication they must try ~n/2 decryptions. Of course A is blindly communicating with node B, but as long as node B wants the communication to be secure, the communication is secure and it requires no prior secure communications other than the protocol itself. On Thu, Jun 6, 2013 at 3:12 PM, Matthew Green matthewdgr...@gmail.comwrote: I assume you're talking about confidentiality and authenticity. If all you care about is authenticity then you can proceed under the assumption that the channel /may/ be authentic and then later perform the authentication to retrospectively authenticate it. This is obviously duh, but it's also how modern protocol negotiation works. Matt On Jun 6, 2013, at 2:32 PM, Jonathan Katz jk...@cs.umd.edu wrote: Isn't it obvious? (I mean, there is some value in formalizing the model, but still...) Consider authentication of A to B. If there is nothing distinguishing (impersonator) Mallory from (honest) A, then anything A can do can also be done by Mallory. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel
How do the does node A know node B's ID and that the ID is really the one of the B he/she wants to communicate with? Isn't the ID really just the shared secret (credentials) Ralph mentions in his question? --Felix From: cryptography [mailto:cryptography-boun...@randombit.net] On Behalf Of Ethan Heilman Sent: Thursday, June 06, 2013 16:04 To: Matthew Green Cc: Crypto List Subject: Re: [cryptography] Looking for earlier proof: no secure channel without previous secure channel Consider a network of N nodes each given an id from 1 to N, each node uses a protocol where any message it receives it decrypts with it's id. All messages get sent to every node instantly, and decryption has a very high cost. Node A wants to send a message to another node (node A just chooses an id randomly). Node A encrypts the message with the other nodes ID and sends it into the network. Node A has just securely communicated with another node (let say node B) without any prior secure channels and for another node to break that communication they must try ~n/2 decryptions. Of course A is blindly communicating with node B, but as long as node B wants the communication to be secure, the communication is secure and it requires no prior secure communications other than the protocol itself. On Thu, Jun 6, 2013 at 3:12 PM, Matthew Green matthewdgr...@gmail.commailto:matthewdgr...@gmail.com wrote: I assume you're talking about confidentiality and authenticity. If all you care about is authenticity then you can proceed under the assumption that the channel /may/ be authentic and then later perform the authentication to retrospectively authenticate it. This is obviously duh, but it's also how modern protocol negotiation works. Matt On Jun 6, 2013, at 2:32 PM, Jonathan Katz jk...@cs.umd.edumailto:jk...@cs.umd.edu wrote: Isn't it obvious? (I mean, there is some value in formalizing the model, but still...) Consider authentication of A to B. If there is nothing distinguishing (impersonator) Mallory from (honest) A, then anything A can do can also be done by Mallory. ___ cryptography mailing list cryptography@randombit.netmailto:cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
