The Eddystone ephemeral identifier for BLE work from Google may be of interest to some here (doesn't solve cases of unknown neighbors): https://developers.google.com/beacons/eddystone-eid
On Thu, Oct 6, 2016 at 9:41 PM, Christian Huitema <huit...@huitema.net> wrote: > > On Thursday, October 6, 2016 6:58 AM, Michael Richardson wrote: > > > > ... > > I'd love to find a way to send the identifier only to an authorized > operator, > > which is resistant to an active MITM, given that the new device (the > pledge) > > doesn't know who the authorized operator is yet. > > We are looking at that in the pairing draft in DNSSD > (https://tools.ietf.org/html/draft-kaiser-dnssd-pairing-00). The > hypothesis > is that the two paired devices can display a short authentication string, > e.g. 6-7 digits. Given that, we can establish a TLS connection without > prior > credentials between the two parties, with a probability 99.9999% that any > MITM attempt will be detected. But the two parties have to be able to "see" > the string display on the other device and compare it to the local one. > ZRTP > uses the same algorithm to detect MITM in audio connection, probably > assuming that the parties will read the string over the audio channel and > that the MITM cannot really rework the audio in real time. > > There is another trick, used in the privacy extensions to DNS-SD > (https://tools.ietf.org/html/draft-huitema-dnssd-privacy-02). Use TLS PSK, > or better yet TLS/ECDH/PSK. Instead of PSK ID, send a puzzle that can only > be solved by parties knowing the PSK, e.g. nonce + hash (nonce, PSK). That > guarantees connection without MITM, and also without disclosure of the > identities to third parties. Problem, it scales as O(number of PSK) known > by > the server. We could probably devse an extension of that using public key > technology. > > -- Christian Huitema > > > > _______________________________________________ > perpass mailing list > perpass@ietf.org > https://www.ietf.org/mailman/listinfo/perpass > -- Joseph Lorenzo Hall Chief Technologist, Center for Democracy & Technology [https://www.cdt.org] 1401 K ST NW STE 200, Washington DC 20005-3497 e: j...@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 Tech Prom, CDT's Annual Dinner, is April 20, 2017! https://cdt.org/annual-dinner
_______________________________________________ perpass mailing list perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass