On Mon, Mar 2, 2015 at 5:14 PM, John Rose via AGI <[email protected]> wrote: >> -----Original Message----- >> From: Matt Mahoney via AGI [mailto:[email protected]] >> >> Peers need to know when two messages are from the same source. If a peer >> earns a reputation for being a reliable source of information (like Google or >> your bank), then malicious peers will try to spoof messages from them. To >> prevent this, peers sign their messages using a mutually agreed secret key >> chosen at random. After an initial exchange (using e.g. Diffie-Hellman), I >> send you a message and a signature like SHA256(message + key). You receive >> the message, compute the signature, and compare it to the signature that I >> sent you. Since nobody else knows the key, and the hash is not invertible, >> you >> know the message must have come from me. > > Well, that's the same as using HTTPS or another application layer protocol > over TLS/SSL with certificates signed by a certificate authority no? Though > in your communications protocol you control the signing and encryption > algorithm and everyone need not get a CA signed cert I suppose.
HTTPS remains an option for key exchange. The disadvantage is it requires trusting a third party (the CA) to vouch for the public key that claims to be from Google or whoever. In the protocol I proposed, there is a separate key for every pair of peers that wants to communicate. If a key is compromised, then the damage is limited to that one channel. If a CA is hacked, it's bad news. It's happened. There are secure protocols to establish keys without a third party between peers that initially do not trust each other, such as RSA and Diffie-Hellman. Even if there is a man in the middle attack, the peers have no more reason to trust the other peer than the attacker, so no harm is done. The peers only come to trust each other after communicating for some time. Ultimately there is no avoiding reputation networks, however. A trusts B, and B says you can trust C, and so on. So CA's aren't going away. -- -- Matt Mahoney, [email protected] ------------------------------------------- AGI Archives: https://www.listbox.com/member/archive/303/=now RSS Feed: https://www.listbox.com/member/archive/rss/303/21088071-f452e424 Modify Your Subscription: https://www.listbox.com/member/?member_id=21088071&id_secret=21088071-58d57657 Powered by Listbox: http://www.listbox.com
