Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Bill Frantz]

On 8/25/13 at 8:32 PM, leich...@lrw.com (Jerry Leichter) wrote:

*The* biggest headache is HTTP support.  Even the simplest 
modern HTTP server is so complex you can never be reasonably 
sure it's secure (though, granted, it's simpler than a 
browser!)  You'd want to stay simple and primitive.


I'm currently over 250 messages behind, so please pardon me if 
this item has already been mentioned.


Back in 2009, Charlie Landau and I worked on a DARPA contract to 
demonstrate a secure web key server[1]. We used CAPROS[2] as the 
underlying operating system and build a HTTP interpreter to act 
as the server. The system is GPL and the source for the web key 
server is available on Sourceforge[3].


Charlie comments that the IDL files are quite useful, but there 
really isn't any documentation. Let me give a brief overview:


When a new TCP connection arrives, a new instance of the web key 
server is created. It can not communicate with any other 
instance of the web key server, and the only real authority it 
has, beyond sending and receiving on the TCP circuit, is to a 
name lookup system.


This name lookup system takes a string -- the secret part of the 
web key -- and returns a resource. The web key server then 
returns the contents of that resource to the requestor.


Since the name lookup system does not allow enumeration of its 
contents, even if an instance of the web key server is 
compromised, an attacker will still have to guess the secret 
part of the web key to retrieve authorities from the name lookup system.


Cheers - Bill

[1] Web key: http://waterken.sourceforge.net/web-key/

[2] http://www.capros.org/, http://capros.sourceforge.net/

[3] http://sourceforge.net/projects/capros/

---
Bill Frantz| Truth and love must prevail  | Periwinkle
(408)356-8506  | over lies and hate.  | 16345 
Englewood Ave
www.pwpconsult.com |   - Vaclav Havel | Los Gatos, 
CA 95032


___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Jerry Leichter]

On Aug 28, 2013, at 11:03 AM, Jonathan Thornburg wrote:

 On Wed, 28 Aug 2013, Jerry Leichter wrote:
 On the underlying matter of changing my public key:  *Why* would I have
 to change it?  It's not, as today, because I've changed my ISP or employer
 or some other random bit of routing information - presumably it's because
 my public key has been compromised.
 
 Maybe it's because you've forgotten the passphrase guarding the
 corresponding private key?
 
 Or because you'd like to do the electronic equivalent of change my name,
 start [this facet of] my electronic life over?
The point of my question was that for different reasons for changing the public 
key, there are different issues and different potential responses.

- If I need to change because the private key was compromised, there's nothing 
I can do about past messages; the question is what I do to minimize the number 
of new messages that will arrive with a now-known-insecure key.  This was the 
case I assumed the previous poster was concerned with.
- If I lost the private key, all previous messages remain secure - except they 
are now, unfortunately, secure against me as well :-(.  New messages sent with 
the key will be unreadable, but if I am in a position to determine who sent 
them, I can tell them to re-send with a different key.  If the system is set up 
so that even return information is encrypted, I'll have to rely on my 
correspondent's realizing they need to re-send via some other mechanism.  (It 
could be through whatever revocation mechanism the system has; it could be 
through mail I send to everyone I correspond with; it could be through a phone 
call, or just by word of mouth.  The sender will have to check the dates and 
realize that some message was sent recently enough that I probably couldn't 
decrypt it.)
- As I outlined things, there was never a reason you couldn't have multiple 
public keys, and in fact it would be a good idea to make traffic analysis 
harder.  Adding a new key for a new facet of your electronic life is trivial.

-- Jerry

 
 -- 
 -- Jonathan Thornburg jth...@astro.indiana.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984
 ___
 The cryptography mailing list
 cryptography@metzdowd.com
 http://www.metzdowd.com/mailman/listinfo/cryptography

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Callme Whatiwant]

Hello, I'm new here, so I apologize if I'm repeating past arguments or
asking old questions.


On Tue, Aug 27, 2013 at 8:52 PM, Jerry Leichter leich...@lrw.com wrote:

 On Aug 27, 2013, at 9:48 PM, Perry E. Metzger wrote:

 On Tue, 27 Aug 2013 22:04:22 +0100 Wendy M. Grossman
 wen...@pelicancrossing.net wrote:
 On 08/27/2013 18:34, ianG wrote:
 Why do we need the 1980s assumption of being able to send freely
 to everyone, anyway?

 It's clear you're not a journalist or working in any other
 profession where you actually need to be able to communicate
 spontaneously with strangers.

 Of course, as a reporter, you are probably getting email addresses of
 people to talk to via referral, and that could be used to get past the
 barrier. The problem of people spontaneously contacting a published
 address is harder.
 Actually, it isn't, or shouldn't be.  Email addresses were originally things 
 you typed into a terminal.  They had to be short, memorable, and easy to 
 type.  Published meant printed on paper, which implied typing the thing 
 back in.

 But none of that matters much any more.

This is (anecdotally) completely untrue.

A great way to experience this personally is to start using a
strange email address, like mine.  You quickly realize how often you
*say* or *write on paper* your email address.  Because my email
address is odd, almost every time I say it, the listener asks me to
spell it.  I suspect if I could just say bob at gmail I wouldn't
notice how often this occurs.

Now I'm inspired to keep a log of how often I verbally spell an email address.

It would be a grave mistake for us to say: we're going to help the
typical user, and oh by-the-way, we'll just assume verbally saying
email addresses is not common.  Because if it is, then any solution
based on that assumption will not be adopted, and will therefore not
help the fabled typical user.

If we went down the road of: well verbal transmission is rare and
hard, but introductions through cc headers are easy to hook into, so
we'll only support some uses, then we're creating a solution where
users will be easily confused as to the security properties of an
email address.


 Publication is usually on-line, so contact addresses can be arbitrary 
 links.  When we meet in person, we can exchange large numbers of bits between 
 our smartphones.  Hell, even a business card can easily have a QR code on the 
 back.

So I want to highlight something here: usually may be accurate, if
we are counting number of transmissions of email addresses over
time.  Perhaps more and more of that traffic, by volume, is through
automated systems, relieving the burden of users saying, typing, or
otherwise dealing with the string contents.

However, I believe such email transmissions are not at all equal in
importance.  For example, if someone just verbally told me their email
address, there's a great chance this is much more important than when
I receive h...@techsupport.example.com over http by going to my
broken product's website.



 Suppose, as in Bitcoin, my email address *is* my public key.  If you wanted 
 to send me email, you'd have a routing problem - but I could even give you 
 hints:  My address would be leich...@lrw.com:public key.  You can try there 
 first, or you can look up my public key in some global dictionary.  An 
 attacker could get your mail to me to go to them, but they can't read it - 
 you already know my public key, so only *I* can read it.  The only attack 
 they can mount is a denial of service.  I can have any number of public keys, 
 and all published routes to me may go through a mix - so I can minimize 
 metadata leakage.

 The assumption that initial contact information has to be something 
 human-processable creates the whole how do I securely map contact 
 information to a key problem.  Flip it around and that problem vanishes.

This assumption does *not* create a problem.  The problem exists out
in the world where billions of people use technology based on the
understandings and habits they learned from past experience.

The problem out in the world doesn't vanish no matter what
simplifying assumptions we might make on this list.

A counter to my position here is that maybe a solution needn't be used
by everyone initially.  If it's sufficiently usable and has any kind
of networking effect, its use can spread over the population.  I can't
think of any networking effect for privacy or authentication that's
readily apparent to users, and which is backwards compatible with
existing use.  I'd love to hear suggestions though!

Yet another counter is that maybe a solution needn't be used by a
given user in every case, for example by suffixing key material to
addresses in some automatable situations like you suggest..  If the
goal is authenticating human's to one another, this may not be very
successful without massive user education (I'm reminded of http vs
https indicators in browser uis).  If, OTOH, the goal is as much
resistance to 

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Phillip Hallam-Baker]

On Thu, Aug 29, 2013 at 3:31 PM, Callme Whatiwant nejuc...@gmail.comwrote:

 Hello, I'm new here, so I apologize if I'm repeating past arguments or
 asking old questions.


 On Tue, Aug 27, 2013 at 8:52 PM, Jerry Leichter leich...@lrw.com wrote:
 
  On Aug 27, 2013, at 9:48 PM, Perry E. Metzger wrote:
 
  On Tue, 27 Aug 2013 22:04:22 +0100 Wendy M. Grossman
  wen...@pelicancrossing.net wrote:
  On 08/27/2013 18:34, ianG wrote:
  Why do we need the 1980s assumption of being able to send freely
  to everyone, anyway?
 
  It's clear you're not a journalist or working in any other
  profession where you actually need to be able to communicate
  spontaneously with strangers.
 
  Of course, as a reporter, you are probably getting email addresses of
  people to talk to via referral, and that could be used to get past the
  barrier. The problem of people spontaneously contacting a published
  address is harder.
  Actually, it isn't, or shouldn't be.  Email addresses were originally
 things you typed into a terminal.  They had to be short, memorable, and
 easy to type.  Published meant printed on paper, which implied typing
 the thing back in.
 
  But none of that matters much any more.

 This is (anecdotally) completely untrue.

 A great way to experience this personally is to start using a
 strange email address, like mine.  You quickly realize how often you
 *say* or *write on paper* your email address.  Because my email
 address is odd, almost every time I say it, the listener asks me to
 spell it.  I suspect if I could just say bob at gmail I wouldn't
 notice how often this occurs.


I have enough problems with mine. hal...@gmail.com, someone else registered
hal...@gmail.com.


But more generally, I want to make it easy for people to send me email. If
they already have my address then it does not matter how easy it would be
to add an encryption key, the opportunity to do so has passed.

What I did realize would be useful is some sort of verification code. So
this morning I was arranging a delivery of a screw for the shower. I give
them the email address but they were going to do hallambaker@gmail.cominstead.

So it would be nice if there was a code that someone could read back to
tell you that they got the address right. It does not need to be
particularly long, two maybe three letters. Just enough to provide a
confirmation.


And extending the concept. Let us imagine that I have a separate email
address that I am only going to use for online purchases and that I have
filled out a delivery address form somewhere for it and that agent will
only give out the address to a party that presents an EV certificate to
show that they are accountable and keep a record of everyone who asks.

This does not really raise particular confidentiality concerns to me
because it is simply a form of compression. My delivery addresses appear
many times in my email inbox, I have a new entry every time I buy something
online. If the mails travel through my ISP's server they will get that info
soon enough (unless the sender encrypts). But it would make filling in
online forms a lot easier and less error prone.



-- 
Website: http://hallambaker.com/
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Jon Callas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Aug 29, 2013, at 3:43 AM, Jerry Leichter leich...@lrw.com wrote:

 - If I need to change because the private key was compromised, there's 
 nothing I can do about past messages; the question is what I do to minimize 
 the number of new messages that will arrive with a now-known-insecure key.  
 This was the case I assumed the previous poster was concerned with.

Personally, I think you shouldn't worry about this.

The real sin is getting an attachment to a key. You are much better off 
developing a philosophy of key management in which you use it and then get rid 
of it regularly. 

If you do this reasonably well, it reduces the chance that a key will get 
compromised because its aegis, footprint, shadow, etc. is small. It also 
reduces the effect because most likely it takes more time to break the key than 
its lifetime; I consider hacking the key, stealing it, etc. to be a form of 
breaking. Stealing a key through a 'sploit is also cryptanalysis.

Be Buddist about your keys and have no attachments. (This is also a good 
philosophy about mail, but that's a different discussion.)

 - As I outlined things, there was never a reason you couldn't have multiple 
 public keys, and in fact it would be a good idea to make traffic analysis 
 harder.  Adding a new key for a new facet of your electronic life is 
 trivial.

That's a fine step to a good attitude, but the effect on traffic analysis will 
be small or close to nil. Traffic analysis includes social graph analysis and 
any good social graph analysis will include probabilities that an entity will 
have different personae. Keys are just masks, too, just like a persona.

Jon



-BEGIN PGP SIGNATURE-
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii

wj8DBQFSIC5MsTedWZOD3gYRAmpmAJ0UJ7K9GWo9FLSa8HR1CmSbWRZcgQCgkuif
rbTWOi5eHdxNpRzQ9VkqDBY=
=PpOZ
-END PGP SIGNATURE-
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[danimoth]

On 27/08/13 at 10:05pm, Christian Huitema wrote:
  Suppose, as in Bitcoin, my email address *is* my public key
 
 You can even use some hash compression tricks so you only need 9 or 10 
 characters to express the address as hash of the public key. 
 
 That works very well, until you have to change the public key.

.. and until someone want to find a public key which shares the first 
10 digits of the hash with yours.
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Jerry Leichter]

On Aug 28, 2013, at 4:24 AM, danimoth wrote:

 On 27/08/13 at 10:05pm, Christian Huitema wrote:
 Suppose, as in Bitcoin, my email address *is* my public key
 
 You can even use some hash compression tricks so you only need 9 or 10 
 characters to express the address as hash of the public key. 
 
 That works very well, until you have to change the public key.
 
 .. and until someone want to find a public key which shares the first 
 10 digits of the hash with yours.
9 or 10 *characters*, not *digits*.  You need enough bits that, even given the 
birthday paradox, the probability of this occurring is low enough not to 
matter.  Since the birthday paradox will lead to a 50% probability of collision 
after about the square root of the number of possible values, given a 
10-character signature, that's at about 5 characters.  Way too low, for digits. 
 If characters are full bytes, 2^40 generated public keys is plausible, 
though perhaps uncomfortably small; and if the characters have to be 
printable - then I agree, way too low.

You could use hash compression, but the retained compressed values will have to 
be rather larger.  Say 150 bits worth, at least.

On the underlying matter of changing my public key:  *Why* would I have to 
change it?  It's not, as today, because I've changed my ISP or employer or some 
other random bit of routing information - presumably it's because my public key 
has been compromised.  That's a disaster no matter how I identify myself, one 
that's very difficult to recover from - pretty much impossible unless (a) 
there's some way to revoke a key (yes, we've had problems with getting that to 
work even in the current PKI environment, but there's no real alternative); (b) 
I've prepared for the eventuality.  Given (a), I can send out a signed 
revocation message.  (So can the attacker, but presumably he had bigger plans 
for the key than just killing it.)  Given (b), I have pre-shared one or more 
replacement keys that I still trust, and my revocation can name the one to put 
into use.  (Of course, it cannot introduce a brand new key!)  Done this way, my 
response to key compromise is no different from normal key 
 rollover.

-- Jerry

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Jonathan Thornburg]

On Wed, 28 Aug 2013, Jerry Leichter wrote:
 On the underlying matter of changing my public key:  *Why* would I have
 to change it?  It's not, as today, because I've changed my ISP or employer
 or some other random bit of routing information - presumably it's because
 my public key has been compromised.

Maybe it's because you've forgotten the passphrase guarding the
corresponding private key?

Or because you'd like to do the electronic equivalent of change my name,
start [this facet of] my electronic life over?

-- 
-- Jonathan Thornburg jth...@astro.indiana.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Phill]

On Aug 26, 2013, at 5:27 PM, The Doctor dr...@virtadpt.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On 08/26/2013 08:46 AM, Phillip Hallam-Baker wrote:
 
 Which is why I think Ted Lemon's idea about using Facebook type 
 friending may be necessary.
 
 Or Gchat-style contacts.
 
 I don't think we can rely on that for Key distribution. But I think
 it needs to be a part of the mix.
 
 What if the public key were baked into the user's public-facing
 profile in such a fashion that the client could pick it up
 automagickally but viewers just saw another link that they'd never
 click on anyway?

I am thinking that I want to make face to face exchange of keys via an iPhone 
'bump' type app possible

Also I want to be able to use friend relationships as a spam filtering control. 
Perhaps you only want to accept encrypted email from people if you know them. 

My spam problem is a little larger than most. While I was doing anti-span at 
VeriSign I received a quarter of the mail for the company. I have been under a 
DoS attack on my mail for a considerable time.


But in any case, at the moment we have email, I'm, voice and video all as 
separate apps unless we go through a proprietary scheme when they become one. 
The missing piece for email security is key discovery. If we are going to solve 
that problem for email we should do it for all the other apps as well.


The market for secure email is going to be tiered. There will be folks like us 
who want to have full control and do a lot of the work ourselves and there will 
be people who want to buy in the expertise and then there will be institutions 
that need to outsource.

As folk probably know, I work for Comodo and so I am interested in the 
possibility of establishing an enterprise market for secure email services. But 
that is only an interesting commercial prospect if there is a chance that 
secure email will become ubiquitous. 

In the near term, the critical mass for secure email has to come from another 
sector. People concerned about PRISM seems to be the constituency most likely 
to drive adoption. Even if the threat from other sources (Iran, Russia) is 
actually greater in my view. 



 I have a protocol compiler. Just give it an abstract schema and out
 pops a server and client API library. Just need to add the code to
 implement the semantics. It is up on Sourceforge, will update later
 this week.
 
 Neat!  Link, please?

https://sourceforge.net/projects/jsonschema/

The code should be uploaded later this week or early next. Just got back from 
Europe and having some hardware issues of the expensive kind.


___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[ianG]

On 26/08/13 08:47 AM, Richard Clayton wrote:


Even without the recent uproar over email privacy, at some point, someone was
going to come up with a product along the following lines:  Buy a cheap,
preconfigured box with an absurd amount of space (relative to the huge amounts
of space, like 10GB, the current services give you); then sign up for a service
that provides your MX record and on-line, encrypted backup space for a small
monthly fee.  (Presumably free services to do the same would also appear,
perhaps from some of the dynamic DNS providers.)


Just what the world needs, more free email sending provision!  sigh



Right.  One of the problems with email (as pointed out in OP's original 
post) is that it is free to send *and* it can be sent to everyone.  The 
combination of these two assumptions/requirements is essential for spam.


Chat systems have pretty much killed spam by making it non-possible to 
send to everyone.  You need an introduction/invite/process/barrier, first.


This has worked pretty well.  Maybe the writing is on the wall?

Maybe we just need to let email die?

We can move email over to the 'IM technology' layer.  We can retain the 
email metaphor by simply adding it to chat clients, and by adding IM 
technology to existing email clients.  Both clients can allow us to 
write emails and send them, over their known IM channels to known contacts.


Why do we need the 1980s assumption of being able to send freely to 
everyone, anyway?




iang

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[radix42]

Iang wrote:

Why do we need the 1980s assumption of being able to send freely to 
everyone, anyway?

tech.supp...@i.bought.your.busted.thing.com is one that comes to mind. 
i...@sale.me.your.thing.com is another. I think the types of prior whitelist 
only secure systems being discussed on-list here lately will in the long run 
win out with the lions share of messages, but that bog standard 'dirty' email 
will persist for commercial interactions of the type I list above.

-David Mercer

David Mercer
Portland, OR

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Wendy M. Grossman]

On 08/27/2013 18:34, ianG wrote:
 Why do we need the 1980s assumption of being able to send freely to
 everyone, anyway?

It's clear you're not a journalist or working in any other profession
where you actually need to be able to communicate spontaneously with
strangers.

wg
-- 
www.pelicancrossing.net -- all about me
Twitter: @wendyg
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Greg Broiles]

On Tue, Aug 27, 2013 at 2:04 PM, Wendy M. Grossman 
wen...@pelicancrossing.net wrote:

 It's clear you're not a journalist or working in any other profession
 where you actually need to be able to communicate spontaneously with
 strangers.


And if the people who attacked the NY Times' DNS today had chosen to
replace the NY Times' MX records with pointers to their own mailserver . .
.  communications intended for journalists would be in the hands of the
Syrian Electronic Army, or whoever's actually responsible for the hack.

Unencrypted E-mail is going to result in someone's death pretty quickly, if
it hasn't already.

-- 
Greg Broiles
gbroi...@gmail.com (Lists only. Not for confidential communications.)
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Phillip Hallam-Baker]

On Tue, Aug 27, 2013 at 5:04 PM, Wendy M. Grossman 
wen...@pelicancrossing.net wrote:

 On 08/27/2013 18:34, ianG wrote:
  Why do we need the 1980s assumption of being able to send freely to
  everyone, anyway?

 It's clear you're not a journalist or working in any other profession
 where you actually need to be able to communicate spontaneously with
 strangers.


True, but you are probably willing to tolerate a higher level of spam
getting through in that case.

One hypothesis that I would like to throw out is that there is no point in
accepting encrypted email from someone who does not have a key to encrypt
the response.



-- 
Website: http://hallambaker.com/
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[radix42]

Phillip Hallam-Baker wrote:
One hypothesis that I would like to throw out is that there is no point in 
accepting encrypted email from someone who does not have a key to encrypt 
the response.

I'd agree, as I was in just this position in the last week or so: I got a gpg 
encryped email from someone I had no key for, and I haven't cut or circulated 
one in a very long while (my bad, as it were, on the latter point). So what's 
the point in even getting a key from them at that point, after the fact? They 
ARE not many 'hops' away from me in a web of trust sense so far as knowing 
people in person, but without having keys exchanged ahead of time, its all 
moot. As I'm sure this list already knows. Just re-iterating the point made 
here in various ways that key exchange is THE big problem in all of this.

If we can usably crack that nut with 'house servers' on a dongle, we're most of 
the way there wrt secure email, IMNSHO.

Zooko's triangle, pet names...we have cracked the THEORY of secure naming, just 
not the big obstacle of key exchange. And I don't think the wider public was 
concerned/scared enough to care before Snowden. Let's hope they care long 
enough to adopt any viable solutions to the problem that might pop up in the 
wake of all this. The traffic on this list the past week is a very welcome 
thing.

-David Mercer

David Mercer
Portland, OR
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Perry E. Metzger]

On Tue, 27 Aug 2013 21:33:01 + radi...@gmail.com wrote:
 Iang wrote:
 
 Why do we need the 1980s assumption of being able to send freely
 to everyone, anyway?
 
 tech.supp...@i.bought.your.busted.thing.com is one that comes to
 mind. i...@sale.me.your.thing.com is another. I think the types of
 prior whitelist only secure systems being discussed on-list here
 lately will in the long run win out with the lions share of
 messages, but that bog standard 'dirty' email will persist for
 commercial interactions of the type I list above.

On the other hand, tech.support@sillycompany could just accept all
contact requests, at least temporarily.

Perry
-- 
Perry E. Metzgerpe...@piermont.com
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Perry E. Metzger]

On Tue, 27 Aug 2013 22:04:22 +0100 Wendy M. Grossman
wen...@pelicancrossing.net wrote:
 On 08/27/2013 18:34, ianG wrote:
  Why do we need the 1980s assumption of being able to send freely
  to everyone, anyway?
 
 It's clear you're not a journalist or working in any other
 profession where you actually need to be able to communicate
 spontaneously with strangers.

Of course, as a reporter, you are probably getting email addresses of
people to talk to via referral, and that could be used to get past the
barrier. The problem of people spontaneously contacting a published
address is harder.

I don't claim to have all the answers, but experimentation will
probably tell us a lot more than simply thinking in the abstract.

-- 
Perry E. Metzgerpe...@piermont.com
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Peter Saint-Andre]

On 8/27/13 7:48 PM, Perry E. Metzger wrote:
 On Tue, 27 Aug 2013 22:04:22 +0100 Wendy M. Grossman
 wen...@pelicancrossing.net wrote:
 On 08/27/2013 18:34, ianG wrote:
 Why do we need the 1980s assumption of being able to send freely
 to everyone, anyway?

 It's clear you're not a journalist or working in any other
 profession where you actually need to be able to communicate
 spontaneously with strangers.
 
 Of course, as a reporter, you are probably getting email addresses of
 people to talk to via referral, and that could be used to get past the
 barrier.

And that's how friend-of-friend stuff is happening now (LinkedIn and the
like). In a way the old-fashioned letter of introduction had a lot to
recommend it. :-)

Peter

-- 
Peter Saint-Andre
https://stpeter.im/


___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Peter Saint-Andre]

On 8/27/13 7:45 PM, Perry E. Metzger wrote:
 On Tue, 27 Aug 2013 21:33:01 + radi...@gmail.com wrote:
 Iang wrote:

 Why do we need the 1980s assumption of being able to send freely
 to everyone, anyway?

 tech.supp...@i.bought.your.busted.thing.com is one that comes to
 mind. i...@sale.me.your.thing.com is another. I think the types of
 prior whitelist only secure systems being discussed on-list here
 lately will in the long run win out with the lions share of
 messages, but that bog standard 'dirty' email will persist for
 commercial interactions of the type I list above.
 
 On the other hand, tech.support@sillycompany could just accept all
 contact requests, at least temporarily.

Realistically they all have a web-based contact form these days anyway.
Similarly, they all have live web-based chat systems that don't require
opening up more broadly. HTTP is the new TCP and all that.

For truly federated communication (BigRetailer wants its employees to
exchange messages with smaller companies in its supply chain), a more
open technology is needed, but we have those for email and IM.

However, we're off-topic for what's truly important here: not enterprise
email and IM, but secure technologies for individuals.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/


___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Jerry Leichter]

On Aug 27, 2013, at 9:48 PM, Perry E. Metzger wrote:

 On Tue, 27 Aug 2013 22:04:22 +0100 Wendy M. Grossman
 wen...@pelicancrossing.net wrote:
 On 08/27/2013 18:34, ianG wrote:
 Why do we need the 1980s assumption of being able to send freely
 to everyone, anyway?
 
 It's clear you're not a journalist or working in any other
 profession where you actually need to be able to communicate
 spontaneously with strangers.
 
 Of course, as a reporter, you are probably getting email addresses of
 people to talk to via referral, and that could be used to get past the
 barrier. The problem of people spontaneously contacting a published
 address is harder.
Actually, it isn't, or shouldn't be.  Email addresses were originally things 
you typed into a terminal.  They had to be short, memorable, and easy to type.  
Published meant printed on paper, which implied typing the thing back in.

But none of that matters much any more.  Publication is usually on-line, so 
contact addresses can be arbitrary links.  When we meet in person, we can 
exchange large numbers of bits between our smartphones.  Hell, even a business 
card can easily have a QR code on the back.

Suppose, as in Bitcoin, my email address *is* my public key.  If you wanted to 
send me email, you'd have a routing problem - but I could even give you hints:  
My address would be leich...@lrw.com:public key.  You can try there first, or 
you can look up my public key in some global dictionary.  An attacker could get 
your mail to me to go to them, but they can't read it - you already know my 
public key, so only *I* can read it.  The only attack they can mount is a 
denial of service.  I can have any number of public keys, and all published 
routes to me may go through a mix - so I can minimize metadata leakage.

The assumption that initial contact information has to be something 
human-processable creates the whole how do I securely map contact information 
to a key problem.  Flip it around and that problem vanishes.

-- Jerry

 
 I don't claim to have all the answers, but experimentation will
 probably tell us a lot more than simply thinking in the abstract.
 
 -- 
 Perry E. Metzger  pe...@piermont.com
 ___
 The cryptography mailing list
 cryptography@metzdowd.com
 http://www.metzdowd.com/mailman/listinfo/cryptography

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Christian Huitema]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 Suppose, as in Bitcoin, my email address *is* my public key

You can even use some hash compression tricks so you only need 9 or 10 
characters to express the address as hash of the public key. 

That works very well, until you have to change the public key.

- -- Christian Huitema
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (MingW32)
Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/
Charset: utf-8

iQEcBAEBAgAGBQJSHYUrAAoJELba05IUOHVQkb0H/ixGQK+kLx+SYp1FRJB5UF/Y
lEfP8UGt+FVUweq3N0OWG7JB4HJzg14+tLbYjpkq6tJdJJPdoyDUVX9NgNvHRwl0
ELB3xhpXtXUg1YbM+IPrGVHDJUp6oBMnM4LEjnT5UP9kSW3yrkm9tu7k3bo9Xq/i
gShIWOZcWVCxsY4WI/RetfXvLI/xZQwczxBzmTcSfB8w7khvpyr98VW5PMeX6Uu1
VBEN4dZiUIjKvhN0HMGMZtDrfbWeXIvGYkA5OjTeAGDExt5C+nvB3BCb87pGf8NJ
nTrRgLNJjU6hpD7giPD0SgLOe9uye5DXrUyOwSmHGCgqZjj/P07+i/nyJczwZ48=
=iZk1
-END PGP SIGNATURE-

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Richard Clayton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

In message fdd34a58-6ce6-497a-a177-b940d36d0...@lrw.com, Jerry Leichter
leich...@lrw.com writes

On the flip side, mail systems like gMail or Yahoo mail are complex and 
difficult to run *exactly because they are immense*.

The mail systems part is really rather simple... and pretty much looks
after itself. That's not where all the employees work.

  But what are they getting 
for that size?  There are no economies of scale here - in fact, there are 
clear 
*dis*economies.

... the economy of scale is in identifying and routing spam of various
kinds. Some can be detected a priori -- the majority of the detection
relies on feedback from users (the chances are that someone else got the
bad mail before you did, so it can be arranged that you are not bothered)

Even without the recent uproar over email privacy, at some point, someone was 
going to come up with a product along the following lines:  Buy a cheap, 
preconfigured box with an absurd amount of space (relative to the huge 
amounts 
of space, like 10GB, the current services give you); then sign up for a 
service 
that provides your MX record and on-line, encrypted backup space for a small 
monthly fee.  (Presumably free services to do the same would also appear, 
perhaps from some of the dynamic DNS providers.)  

Just what the world needs, more free email sending provision!  sigh

What's the value add of one of the giant providers?

If you run your own emails system then you'll rapidly find out what
2013's spam / malware problem looks like.

Just as success in crypto deployment isn't about algorithms or file
formats, success in mail handling isn't about MX records and MTAs.

- -- 
richard  Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin

-BEGIN PGP SIGNATURE-
Version: PGPsdk version 1.7.1

iQA/AwUBUhrsBeINNVchEYfiEQKkQQCcDXtNGi30Zp8yhazPbQOvqEmu6icAnjqe
y5QvKffZakNHejWz1tu4PJ4d
=oGIg
-END PGP SIGNATURE-
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Perry E. Metzger]

On Mon, 26 Aug 2013 06:47:49 +0100 Richard Clayton
rich...@highwayman.com wrote:
 If you run your own emails system then you'll rapidly find out what
 2013's spam / malware problem looks like.

This is slightly off topic, but...

As it happens, I run my own email system (and run email for a few
other people at the same time.) My email address is also very very
widely published, so I'm on virtually every spam list in existence.
Thus, I'm reasonably qualified to speak on this.

Things work pretty well, and I spend essentially no time on
required maintenance.

Malware is not a problem. Viruses by email haven't been
prevalent for a while anyway, but because I block all windows
executable formats in attachments at the SMTP server, back when they
were common, none of that traffic got through. 100% coverage.

For spam, I use a couple of reliable RBLs, a few simple block rules,
and spamassassin for postprocessing. I get almost everything. About
ten spams a day get through to me, but on the other hand, I get
hundreds of legitimate messages on an average day and my address is
_very_ widely published.

I think that a zero maintenance box that handles this is probably
doable. One could also set up a peer to peer blacklisting/spam
reporting and detection system that would reduce the problem further
without individual work.

All that said, there is a good reason that I proposed that in the
long run, whitelist only systems like Jabber and Facebook messaging
are a better model.


-- 
Perry E. Metzgerpe...@piermont.com
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Moritz]

Hi,

On 26.08.2013 00:28, Perry E. Metzger wrote:
 We probably don't want any sort of central service running this
 network that could be easily disrupted, so identifier to IP address
 information should probably be stored in some big honking DHT, signed
 in the ID's key. Access to the DHT probably should happen in some
 privacy preserving way, possibly through the mix network itself or a
 PIR protocol.

Hashing it out in public: Common failure modes of DHT-based anonymity
schemes

by Andrew Tran, Nicholas Hopper, and Yongdae Kim.
In the Proceedings of the Workshop on Privacy in the Electronic Society
(WPES 2009), Chicago, IL, USA, November 2009.

http://freehaven.net/anonbib/#wpes09-dht-attack

We examine peer-to-peer anonymous communication systems that
use Distributed Hash Table algorithms for relay selection. We show
that common design flaws in these schemes lead to highly effective
attacks against the anonymity provided by the schemes. These at-
tacks stem from attacks on DHT routing, and are not mitigated by
the well-known DHT security mechanisms due to a fundamental
mismatch between the security requirements of DHT routing’s put-
get functionality and anonymous routing’s relay selection function-
ality.

[...]

CONCLUSION

The anonymity literature, including all of the schemes investi-
gated here, is replete with claims that a peer-to-peer architecture is
necessary in order to construct a scheme that will work at Internet
scale. Distributed Hash Tables offer a scalable architecture for or-
ganizing and finding peers, and thus appear to be an obvious choice
of peer-to-peer architecture. However, as we have shown there is
not a clear bijection between the security and robustness require-
ments of a DHT’s put-get interface and an anonymity scheme’s re-
lay selection mechanism. This leads to severe vulnerabilities in
the existing schemes based on DHTs, limiting the deployability of
such schemes. The critical question for future work in this line
of research is whether a “DHT-like” algorithm can be designed to
meet the specific requirements – in terms of privacy, availability,
and correctness – of an anonymity scheme.

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Jerry Leichter]

On Aug 26, 2013, at 10:14 AM, Perry E. Metzger pe...@piermont.com wrote:

 On Mon, 26 Aug 2013 06:47:49 +0100 Richard Clayton
 rich...@highwayman.com wrote:
 If you run your own emails system then you'll rapidly find out what
 2013's spam / malware problem looks like.
 
 This is slightly off topic, but...
 
 As it happens, I run my own email system (and run email for a few
 other people at the same time.) My email address is also very very
 widely published, so I'm on virtually every spam list in existence.
 Thus, I'm reasonably qualified to speak on this.
 
 Things work pretty well, and I spend essentially no time on
 required maintenance
This is my experience as well.

My primary email address is actually served by a small ISP whose spam filter I 
don't trust - too many false positives.  Actually, I have yet to see a spam 
filter I *do* trust.  So I've configured my account at the ISP to mark what it 
thinks is spam in the subject line but then pass it through.  My primary spam 
filtering is from Mail.app - but I manually check everything in my Junk mailbox 
before tossing it.  I see every message it thinks is spam, everything my ISP 
thinks is spam, and everything they think is ham as well.  (Mail.app has no 
idea what the ISP's Spam marking means, but presumably adds it as an element 
in its own decisions.)

Like Perry's, my email address has been the same for a while (25 years or so, 
in my case - it was initially delivered via UUCP) and has been widely 
distributed.

My experience is that Mail.app's junk filtering is rather good, producing a 
small number of false positives and negatives.  My ISP's filtering is 
considerably worse.  Reviewing my junk mail is no big deal.

Way back when, I used to get an overwhelming amount of spam.  Looking at it, 
the cause became clear:  I own lrw.com, and have the only mailbox there.  I had 
set it up to forward mail sent to any user at lrw.com to me.  I never got 
anything useful that way - but I got *tons* of spam.  Simply black-holing 
anything not sent specifically to leich...@lrw.com cut the load *way* down.

Keep in mind that one of the starting points of this discussion was how to 
implement mail that was proof against PRISM-like bulk monitoring.  That rules 
out solutions in which a central server has access to the cleartext of your 
mail to do spam scanning anyway.

If people were willing to send definite spam to a central server, and accept 
consensus updates to their spam filter in response, there's no reason why the 
same algorithms that the big guys currently run couldn't be combined with local 
scanning.  (At least you could safely send examples of spam.  Sending ham is 
more problematic.  And one could speculate about the kinds of attacks that 
targeted spam, together with monitoring of when it gets noticed and sent back 
to the service, could enable.)

-- Jerry

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Ray Dillinger]

On 08/25/2013 03:28 PM, Perry E. Metzger wrote:


So, imagine that we have the situation described by part 1 (some
universal system for mapping name@domain type identifiers into keys
with reasonable trust) and part 2 (most users having some sort of
long lived $40 device attached to their home network to act as a
home server.)


My main issue with this proposal is that somebody identifiable is going
to manufacture these boxes.  Maybe several somebodies, but IMO, that's
an identifiable central point of control/failure.  If this is deployed,
what could an attacker gain by compromising the manufacturers, via sabotage,
component modification/substitution at a supplier's chip fab, or via
secret court order from a secret court operating according to a secret
interpretation of the law?

Bear

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Ray Dillinger]

On 08/25/2013 08:32 PM, Jerry Leichter wrote:


Where
mail servers have gotten into trouble is when they've tried to provide
additional services - e.g., virus scanners, which then try to look
inside of complex formats like zip files.  This is exactly the kind
of thing you want to avoid - another part of the mission creep that
we tend to see in anything that runs on a general-purpose computer.


Absolutely agreed; the most reliable things are the least complex.

 That's 20th century thinking:  The computer is expensive, keep

it busy.  Twenty first century thinking should be:  The computer
is cheap - leave it alone to do its job securely.


My thinking is more like: The computer has a multitasking OS.  Whatever
else it needs to be doing will be in another process.  So you lose nothing
if you keep each process simple.  Or if it's a single-purpose box intended
to provide security; don't dilute its purpose.  Keep it simple enough that
even installations of it in the wild, after unknown handling and in all
possible configurations, can be unambiguously, easily, and exhaustively
tested so you know they're doing exactly what they should be and no more.


Realistically, it will be impossible to get little appliances like
this patched on a regular basis - how many people patch their WiFi
routers today? - so better to design on the assumption there won't
be any patches.


Also agreed; online patches are the number one distribution vector of
malware that such a device would need to be worried about. Firstly
because whoever can issue such a patch is a central point of control/
failure and can be coerced.  So send it out with an absolutely sealed
kernel.

Bear




___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Perry E. Metzger]

On Mon, 26 Aug 2013 10:40:17 -0700 Ray Dillinger b...@sonic.net
wrote:
 On 08/25/2013 03:28 PM, Perry E. Metzger wrote:
 
  So, imagine that we have the situation described by part 1 (some
  universal system for mapping name@domain type identifiers into
  keys with reasonable trust) and part 2 (most users having some
  sort of long lived $40 device attached to their home network to
  act as a home server.)
 
 My main issue with this proposal is that somebody identifiable is
 going to manufacture these boxes.  Maybe several somebodies, but
 IMO, that's an identifiable central point of control/failure.

One can use a commercial PC if one wants to install on one's own, or
any one of many manufacturers of small boxes. It is certainly the case
that the hardware layer can be attacked, all is lost. On the other
hand, if we presume supply chain attacks, all is lost anyway -- once
you control the computer, the protocols it is running don't matter.
Even keyboards can be suborned -- see Gaurav Shah's work on that, for
example.

I would prefer not to try to solve that problem right now -- it is
too broad and too general. If others can solve it, that's of course a
great thing. :)

Perry
-- 
Perry E. Metzgerpe...@piermont.com
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Eugen Leitl]

On Mon, Aug 26, 2013 at 02:44:32PM -0400, Perry E. Metzger wrote:

  My main issue with this proposal is that somebody identifiable is
  going to manufacture these boxes.  Maybe several somebodies, but
  IMO, that's an identifiable central point of control/failure.

Recently there's a trend for at least somewhat open hardware 
(Raspberry Pi, other ARM systems, Parallella Epiphany) some of
which contain enough FPGA real estate (sure, we know there 
are FPGA backdoors, but) so that you could boot up an open
core soft CPU, and even bootstrap your own toolchain from
scratch.
 
 One can use a commercial PC if one wants to install on one's own, or
 any one of many manufacturers of small boxes. It is certainly the case

In principle an FPGA die is regular, and hence more easily
inspectable, but even SoCs can be sampled by reverse-engineering
them from the metal layers. 

 that the hardware layer can be attacked, all is lost. On the other
 hand, if we presume supply chain attacks, all is lost anyway -- once
 you control the computer, the protocols it is running don't matter.
 Even keyboards can be suborned -- see Gaurav Shah's work on that, for
 example.

We need open, fully inspectable systems. If proving code, or
at least, auto-generating code from state machines catches on
in open source the number of exploitable vulnerabilities can
be greatly diminished.
 
 I would prefer not to try to solve that problem right now -- it is
 too broad and too general. If others can solve it, that's of course a
 great thing. :)
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[The Doctor]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/26/2013 08:46 AM, Phillip Hallam-Baker wrote:

 Which is why I think Ted Lemon's idea about using Facebook type 
 friending may be necessary.

Or Gchat-style contacts.

 I don't think we can rely on that for Key distribution. But I think
 it needs to be a part of the mix.

What if the public key were baked into the user's public-facing
profile in such a fashion that the client could pick it up
automagickally but viewers just saw another link that they'd never
click on anyway?

 I have a protocol compiler. Just give it an abstract schema and out
 pops a server and client API library. Just need to add the code to
 implement the semantics. It is up on Sourceforge, will update later
 this week.

Neat!  Link, please?

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

Who are you?

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIbyDoACgkQO9j/K4B7F8EjDACgrDH06jqgRCew6iVWbB5w9qm8
+e4AnjeMnOvmmNQoHuuxFMdHEv3Nff9i
=8hzx
-END PGP SIGNATURE-
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Peter Saint-Andre]

On 8/26/13 8:14 AM, Perry E. Metzger wrote:

 there is a good reason that I proposed that in the
 long run, whitelist only systems like Jabber and Facebook messaging
 are a better model.

As one of those Jabber guys, I agree. :-)

Perry, thanks for starting some very interesting threads here -- I'll
post more soon.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/


___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Christian Huitema]

I think we can agree that the first step is to deploy home servers, and that
the first application there would  to host communication applications. Just
doing that without much other change would already provide protection
against the silent spying that goes on in big cloud servers.

Initial deployment of anything must provide an immediate reward to the early
adopters. You cannot rely on a network effect, and that means you can
certainly not request third parties to adopt a new protocol. So better pinch
our noses and say that, of course, we will accept SMTP mail. Probably SIP as
well, and XMPP. We just need at first to make sure that the home server is
easy to deploy and maintain. Then the adopters get the immediate reward,
nobody can go through my mail archives without asking me.

The various P2P enhancements come next, once there already is a network of
home servers. The obvious one is a communication application that beats
traffic analysis by embedding its own shuffling or onion routing. I
don't think we can run anything like that directly on a phone, it would
drain the battery way too quickly.

-- Christian Huitema





___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Perry E. Metzger]

On Sun, 25 Aug 2013 16:04:59 -0700 Christian Huitema
huit...@huitema.net wrote:
 I think we can agree that the first step is to deploy home servers,
 and that the first application there would  to host communication
 applications. Just doing that without much other change would
 already provide protection against the silent spying that goes on
 in big cloud servers.
 
 Initial deployment of anything must provide an immediate reward to
 the early adopters. You cannot rely on a network effect, and that
 means you can certainly not request third parties to adopt a new
 protocol. So better pinch our noses and say that, of course, we
 will accept SMTP mail. Probably SIP as well, and XMPP. We just need
 at first to make sure that the home server is easy to deploy and
 maintain. Then the adopters get the immediate reward, nobody can
 go through my mail archives without asking me.

I do not disagree, and given a home server, supporting whatever
protocols are popular is merely a matter of software. One reason I
split that proposal (more to come!) into multiple messages was
because I think the issues are somewhat distinct, and home servers
would be of use regardless. 

That said, I personally don't need much of a network effect to make
things like secure IM useful to me. I exchange instant messages all
day long, but only with about a dozen people for the most part.
I don't need the whole world to switch to a new IM system for me to be
much happier, just that dozen people.

My email network is somewhat wider, but even there, I'd get
incremental benefit from a new protocol. The trick is to make it easy
to do the old and the new at the same time. Most IMAP and Jabber
clients will happily handle multiple accounts, however, so I don't
even have to choose if the client access protocol remains the same.

 The various P2P enhancements come next, once there already is a
 network of home servers. The obvious one is a communication
 application that beats traffic analysis by embedding its own
 shuffling or onion routing. I don't think we can run anything
 like that directly on a phone, it would drain the battery way too
 quickly.

It might not if the total traffic was quite low (even if my IM
traffic in bytes or packets was 10x larger because of a mix network
participation, it would still be tiny compared to even a couple of
phone calls a day). Still, I tend to agree that home nodes make
better mix participants.

-- 
Perry E. Metzgerpe...@piermont.com
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Jerry Leichter]

On Aug 25, 2013, at 6:28 PM, Perry E. Metzger wrote:
[Commenting on just one minor piece]
 ...Similar techniques may be useful for voice traffic, but that has
 interesting latency requirements, and they're hard to fulfill with a
 mix network that might take arbitrary time. There's been some
 interesting work by a number of people (including one of my doctoral
 brothers) on this topic. It probably would require a bunch of
 experimentation to get it right. On the other hand, anything might be
 better than what we have now for voice traffic, which is essentially
 zero privacy from the operators of most of the services.
There's another problem with voice:  People have come to expect services beyond 
the old point-to-point conversations that the traditional phone network 
provided.  Group conferences are now very much an expected part of on-line 
voice services.  These actually require fairly sophisticated processing of the 
audio to balance levels, avoid or suppress echoes, and so on.  The only 
implementation techniques available today require a central server with access 
to cleartext voice streams.  Not only does the server need to be trusted to 
handle the cleartext voice streams, it has to be trusted to do all the 
authentication - what comes out of the system doesn't usually match what went 
in from any one endpoint.

Multi-way chat has similar, if much simpler, problems.

On the rare occasions these problems (or even multi-party video conferencing) 
get mentioned, someone usually suggests using homomorphic cryptography.  
Besides being way too expensive to be practical at the moment, it's not even 
clear to me that it provides a useful kind of security.  What kind of 
authentication model could such a system implement?  Without it, what's to 
prevent a rogue server from inserting its own voice into the conversation?

There are probably a couple of nice PhD dissertations in here

-- Jerry

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

[Jerry Leichter]

On Aug 25, 2013, at 7:04 PM, Christian Huitema wrote:

 I think we can agree that the first step is to deploy home servers, and that
 the first application there would  to host communication applications. Just
 doing that without much other change would already provide protection
 against the silent spying that goes on in big cloud servers.
 
 Initial deployment of anything must provide an immediate reward to the early
 adopters. You cannot rely on a network effect, and that means you can
 certainly not request third parties to adopt a new protocol. So better pinch
 our noses and say that, of course, we will accept SMTP mail. Probably SIP as
 well, and XMPP. We just need at first to make sure that the home server is
 easy to deploy and maintain. Then the adopters get the immediate reward,
 nobody can go through my mail archives without asking me.
I agree, and have suggested this as the right next step for a couple of 
years.  (For services like mail, it's the right next step *even without the 
security considerations*.  At one time, everyone who wanted to run use mail ran 
his own mail server.  This was a pain to do, and didn't work well in a world of 
intermittent network connectivity and small disks.  Letting someone else figure 
out how to keep sendmail working, provide a continuous on-line presence, back 
up the disks, and so on, was a clear win.

Today, however, pretty much everyone (well, at least in the first world; but 
the problems elsewhere are of an entirely different nature anyway) has a 
continuous, immensely fast (relative to the demands of mail) internet 
connection, disk is too cheap to meter, machines run of years with no 
maintenance, and you can back everything up using readily-available tools to 
encrypted copies in the cloud, or on friend's system.  What's been missing is 
the ability to configure your local mail server as easily as you set up an 
email address at Google or Yahoo or at any other provider.  But that's a 
solvable problem.

On the flip side, mail systems like gMail or Yahoo mail are complex and 
difficult to run *exactly because they are immense*.  But what are they getting 
for that size?  There are no economies of scale here - in fact, there are clear 
*dis*economies.

Even without the recent uproar over email privacy, at some point, someone was 
going to come up with a product along the following lines:  Buy a cheap, 
preconfigured box with an absurd amount of space (relative to the huge 
amounts of space, like 10GB, the current services give you); then sign up for a 
service that provides your MX record and on-line, encrypted backup space for a 
small monthly fee.  (Presumably free services to do the same would also appear, 
perhaps from some of the dynamic DNS providers.)  What's the value add of one 
of the giant providers?

 The various P2P enhancements come next, once there already is a network of
 home servers. The obvious one is a communication application that beats
 traffic analysis by embedding its own shuffling or onion routing.
A single-purpose appliance - a box that has exactly two open ports on the 
Internet, one for SMTP and one for IMAP, with management over a physically 
separate interface, would have a tiny attack surface and could be very secure.  
The more interfaces you put on the box, the less secure it gets.

Maybe you can play games with virtualization - not the kind of virtualization 
that's used today, with all kinds of hooks for efficient sharing, but 
virtualization specifically for security, with as little sharing as possible 
(e.g., completely separate virtual disks; so what if you duplicate stuff, 
programs and such are tiny relative to disk sizes today).

*The* biggest headache is HTTP support.  Even the simplest modern HTTP server 
is so complex you can never be reasonably sure it's secure (though, granted, 
it's simpler than a browser!)  You'd want to stay simple and primitive.

Probably the biggest threat to such a device is a rogue update that installs 
malware.  You can try to mitigate that risk by requiring that all updates be 
signed by multiple independent parties who vet the patch, but there are 
difficult tradeoffs:  Too few checkers, and a rogue patch can get through; too 
many, and if a severe problem develops, you can't get a patch out quickly.

I think the goal to aim for is no patches!  Keep the device and its interfaces 
simple enough that you can get a decent formal proof of correctness, along with 
a ton of careful review and testing (per Don Knuth's comment somewhere to Be 
careful of the following code, I've only proved it correct, not tested it) and 
then *leave it alone*.  If you don't think you can do without patches for the 
whole thing, maybe you can have a non-patched security kernel, with patches 
only to portions that cannot break your security guarantees.  (Yes, this is 
also a hard problem.)

An important element of a secure design is some sort of obliviousness.  A mail 
server doesn't, on its own, need to