Re: [Cryptography] Good private email
On Mon, Aug 26, 2013 at 07:12:21AM -0400, Richard Salz wrote: I don't think you need all that much to get good secure private email. You need a client that can make PEM pretty seamless; reduce it to a button that says encrypt when possible. You need the client to be able to generate a keypair, upload the public half, and pull down (seamlessly) recipient public keys. You need a server to store and return those keys. You need an installed base to kickstart the network effect. Who has that? Apple certainly; Microsoft could; Google perhaps (although not reading email is against their business model). Maybe even the FB API. Now, thats an interesting point! Once all email is encrypted, how many mail providers would be interested in offering free service at all, and whats their business model then? Is it still valuable enough to sell the graph of connects? Sebastian -- ~ perl self.pl ~ $_='print\$_=\47$_\47;eval';eval ~ krah...@suse.de - SuSE Security Team ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Using Raspberry Pis
Custom built hardware will probably be the smartest way to go for an entrepreneur trying to sell these in bulk to people as home gateways anyway Meanwhile, while Phill may have spent $25 for a USB Ethernet, I frequently see them on sale for $10 and sometimes $5. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Traffic Analysis (was Re: PRISM PROOF Email)
On 08/27/2013 01:17, Perry E. Metzger wrote: On Mon, 26 Aug 2013 17:39:16 -0400 The Doctor dr...@virtadpt.net wrote: On 08/26/2013 09:26 AM, Perry E. Metzger wrote: Mix networks are, however, a well technique. Onion networks, which are related, are widely deployed right now in the form of Tor, and work well. I see little reason to believe mix networks would not also work well for instant messages and email (see my other thread, begun yesterday.) What is considered acceptible latency these days for IM or e-mail? Supposedly, the highest acceptible latency for web browsing before the user gets bored and closes the tab is two or three seconds (supposedly...), so where would the lag for e-mail or IM fall anymore before users give up on it? I think tolerance for delays on the web is actually much lower than that -- even a full second probably drives many users away. That's why Tor has a much harder problem. In Email, however, no one really knows their latency -- it is rare that someone actually is aware that a message has just been sent. I routinely have SMSes take seconds to go through and yet I use SMS. I'd agree with this. On the Web, people are impatient because they're trying to complete a transaction in real time. It's very rare to expect an immediate response by email. With IM it depends on the individual conversation and the feedback you're getting. eg, if you're chatting with someone in real time and the software shows you the other person is typing a reply you'll wait, while if there's no feedback you may just assume they've left the room for some reason. But either way, it's not fatal. Latency issues really apply much more to things that stream - audio, video, voice calls. And high-speed trading, but that seems beyond the scope of this conversation. wg -- www.pelicancrossing.net -- all about me Twitter: @wendyg ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Aug 26, 2013, at 5:27 PM, The Doctor dr...@virtadpt.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/26/2013 08:46 AM, Phillip Hallam-Baker wrote: Which is why I think Ted Lemon's idea about using Facebook type friending may be necessary. Or Gchat-style contacts. I don't think we can rely on that for Key distribution. But I think it needs to be a part of the mix. What if the public key were baked into the user's public-facing profile in such a fashion that the client could pick it up automagickally but viewers just saw another link that they'd never click on anyway? I am thinking that I want to make face to face exchange of keys via an iPhone 'bump' type app possible Also I want to be able to use friend relationships as a spam filtering control. Perhaps you only want to accept encrypted email from people if you know them. My spam problem is a little larger than most. While I was doing anti-span at VeriSign I received a quarter of the mail for the company. I have been under a DoS attack on my mail for a considerable time. But in any case, at the moment we have email, I'm, voice and video all as separate apps unless we go through a proprietary scheme when they become one. The missing piece for email security is key discovery. If we are going to solve that problem for email we should do it for all the other apps as well. The market for secure email is going to be tiered. There will be folks like us who want to have full control and do a lot of the work ourselves and there will be people who want to buy in the expertise and then there will be institutions that need to outsource. As folk probably know, I work for Comodo and so I am interested in the possibility of establishing an enterprise market for secure email services. But that is only an interesting commercial prospect if there is a chance that secure email will become ubiquitous. In the near term, the critical mass for secure email has to come from another sector. People concerned about PRISM seems to be the constituency most likely to drive adoption. Even if the threat from other sources (Iran, Russia) is actually greater in my view. I have a protocol compiler. Just give it an abstract schema and out pops a server and client API library. Just need to add the code to implement the semantics. It is up on Sourceforge, will update later this week. Neat! Link, please? https://sourceforge.net/projects/jsonschema/ The code should be uploaded later this week or early next. Just got back from Europe and having some hardware issues of the expensive kind. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
Hi, There is a host of older literature, too - P2P research, however, has become a cold topic. Although I expect that it will see a revival in the face of surveillance. For people who are interested, the list I have (for a year or two back) is: [list] I would like to add the following: R5n: Randomized recursive routing for restricted-route networks NS Evans, C Grothoff Network and System Security (NSS) 2011 Routing in the dark: Pitch black NS Evans, C GauthierDickey, C Grothoff Computer Security Applications Conference, 2007. ACSAC 2007 Exploiting KAD: possible uses and misuses M Steiner, T En-Najjary, EW Biersack ACM SIGCOMM Computer Communication Review 37 (5), 65-70 A global view of kad M Steiner, T En-Najjary, EW Biersack Proceedings of the 7th ACM SIGCOMM IMC, 2007 Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm T Holz, M Steiner, F Dahl, E Biersack, F Freiling Proceedings of 1st Usenix Workshop LEET Ralph ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Good private email
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/27/2013 02:32 AM, Sebastian Krahmer wrote: Now, thats an interesting point! Once all email is encrypted, how many mail providers would be interested in offering free service at all, Another question might be, how many e-mail services would pull a Hushmail (i.e., tout transparent encryption after it leaves the browser (but is actually backdoored))? How many people /who are not us/ cared when that happened? and whats their business model then? How brisk a business do the freemium mail providers do? One gig for free, fifty for $xus/month? Is it still valuable enough to sell the graph of connects? Intel agencies have an interest in social graphs, which implies that the data is valuable to some people who are not intel agencies, so why not sell that data? I read an article yesterday about a company that mines Facebook and sells the data to insurance companies and suchlike for making service and rate determinations, so it is possible that this is already happening under a different context. http://www.celent.com/reports/using-social-data-claims-and-underwriting http://www.claimsjournal.com/news/national/2011/10/14/192987.htm http://www.web-strategist.com/blog/2010/06/14/how-insurance-companies-will-influence-rates-based-on-your-tweets/ - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Only shallow people know themselves. --Oscar Wilde -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIcxu4ACgkQO9j/K4B7F8Hy2wCfchzF9uUS2oFLyr98ESzdabyZ uAQAoNWszAIPcrTNnOyUQXILJpoyzMRg =VAHQ -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On 26/08/13 08:47 AM, Richard Clayton wrote: Even without the recent uproar over email privacy, at some point, someone was going to come up with a product along the following lines: Buy a cheap, preconfigured box with an absurd amount of space (relative to the huge amounts of space, like 10GB, the current services give you); then sign up for a service that provides your MX record and on-line, encrypted backup space for a small monthly fee. (Presumably free services to do the same would also appear, perhaps from some of the dynamic DNS providers.) Just what the world needs, more free email sending provision! sigh Right. One of the problems with email (as pointed out in OP's original post) is that it is free to send *and* it can be sent to everyone. The combination of these two assumptions/requirements is essential for spam. Chat systems have pretty much killed spam by making it non-possible to send to everyone. You need an introduction/invite/process/barrier, first. This has worked pretty well. Maybe the writing is on the wall? Maybe we just need to let email die? We can move email over to the 'IM technology' layer. We can retain the email metaphor by simply adding it to chat clients, and by adding IM technology to existing email clients. Both clients can allow us to write emails and send them, over their known IM channels to known contacts. Why do we need the 1980s assumption of being able to send freely to everyone, anyway? iang ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
Iang wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? tech.supp...@i.bought.your.busted.thing.com is one that comes to mind. i...@sale.me.your.thing.com is another. I think the types of prior whitelist only secure systems being discussed on-list here lately will in the long run win out with the lions share of messages, but that bog standard 'dirty' email will persist for commercial interactions of the type I list above. -David Mercer David Mercer Portland, OR ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On 08/27/2013 18:34, ianG wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? It's clear you're not a journalist or working in any other profession where you actually need to be able to communicate spontaneously with strangers. wg -- www.pelicancrossing.net -- all about me Twitter: @wendyg ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Tue, Aug 27, 2013 at 2:04 PM, Wendy M. Grossman wen...@pelicancrossing.net wrote: It's clear you're not a journalist or working in any other profession where you actually need to be able to communicate spontaneously with strangers. And if the people who attacked the NY Times' DNS today had chosen to replace the NY Times' MX records with pointers to their own mailserver . . . communications intended for journalists would be in the hands of the Syrian Electronic Army, or whoever's actually responsible for the hack. Unencrypted E-mail is going to result in someone's death pretty quickly, if it hasn't already. -- Greg Broiles gbroi...@gmail.com (Lists only. Not for confidential communications.) ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Tue, Aug 27, 2013 at 5:04 PM, Wendy M. Grossman wen...@pelicancrossing.net wrote: On 08/27/2013 18:34, ianG wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? It's clear you're not a journalist or working in any other profession where you actually need to be able to communicate spontaneously with strangers. True, but you are probably willing to tolerate a higher level of spam getting through in that case. One hypothesis that I would like to throw out is that there is no point in accepting encrypted email from someone who does not have a key to encrypt the response. -- Website: http://hallambaker.com/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
Phillip Hallam-Baker wrote: One hypothesis that I would like to throw out is that there is no point in accepting encrypted email from someone who does not have a key to encrypt the response. I'd agree, as I was in just this position in the last week or so: I got a gpg encryped email from someone I had no key for, and I haven't cut or circulated one in a very long while (my bad, as it were, on the latter point). So what's the point in even getting a key from them at that point, after the fact? They ARE not many 'hops' away from me in a web of trust sense so far as knowing people in person, but without having keys exchanged ahead of time, its all moot. As I'm sure this list already knows. Just re-iterating the point made here in various ways that key exchange is THE big problem in all of this. If we can usably crack that nut with 'house servers' on a dongle, we're most of the way there wrt secure email, IMNSHO. Zooko's triangle, pet names...we have cracked the THEORY of secure naming, just not the big obstacle of key exchange. And I don't think the wider public was concerned/scared enough to care before Snowden. Let's hope they care long enough to adopt any viable solutions to the problem that might pop up in the wake of all this. The traffic on this list the past week is a very welcome thing. -David Mercer David Mercer Portland, OR ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
I wonder if much of the work on secure DHT's and such is based on bad assumptions. A DHT is just a key/value mapping. There are two reasons to want to distribute such a thing: To deal with high, distributed load; and because it's too large to store on any one node. I contend that the second has become a non-problem. The DHT uses I've seen involve at most a couple of billion small key/value pairs; most involve a few million at most. Even at the high end, what's today a fairly small, moderately powered system can handle this much data with no problems. The limitations are on QPS. However, there are plenty of mundane techniques to deal with that, including replication, deterministic sharding, and caching. They are all much simpler than DHT's and are hence less likely to have the subtle security problems that DHT's do. Fundamentally, we're asking DHT's to solve three problems at once: Distribute a map; be robust in the face of node failure; do it all securely. Better to use good solutions to the individual problems and combine them than to try to find a way to do all at once. I worked on data structures somewhat like DHT's back in the late 1970's (to implement the Linda distributed programming language on LAN's and hypercubes and similar networks). Neat idea at the time, and it was fun to see it come back as a neat idea on a much larger scale years later; but perhaps its time is (again) passing. -- Jerry ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On Tue, 27 Aug 2013 21:13:59 -0400 Jerry Leichter leich...@lrw.com wrote: I wonder if much of the work on secure DHT's and such is based on bad assumptions. A DHT is just a key/value mapping. There are two reasons to want to distribute such a thing: To deal with high, distributed load; and because it's too large to store on any one node. You've forgotten other reasons. One might want to avoid a single point of failure. One might also want to avoid having any central organization responsible for running a database so that it cannot be shut down by an adversary without shutting down thousands or millions of nodes. I contend that the second has become a non-problem. That is untrue. Say that you want to distribute a database table consisting of human readable IDs, cryptographic keys and network endpoints for some reason. Say you want it to scale to hundreds of millions of users. A quick back of the envelope shows that no home user's little ARM based gateway machine is going to want to handle storing the entire database or handling the entire update traffic volume -- the latter alone might swamp someone even with quite reasonable connectivity. Even at the high end, what's today a fairly small, moderately powered system can handle this much data with no problems. I don't think so. Lets say you have a few hundred bytes per entry and a billion users. That's hundreds of gigabytes, far more than you can store on a thumb drive and an appreciable fraction even of today's hard drives. Furthermore, say that 1% of the entries update per day -- even at that low rate, you're going to swamp lots of people's internet transfer quotas. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Tue, 27 Aug 2013 21:33:01 + radi...@gmail.com wrote: Iang wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? tech.supp...@i.bought.your.busted.thing.com is one that comes to mind. i...@sale.me.your.thing.com is another. I think the types of prior whitelist only secure systems being discussed on-list here lately will in the long run win out with the lions share of messages, but that bog standard 'dirty' email will persist for commercial interactions of the type I list above. On the other hand, tech.support@sillycompany could just accept all contact requests, at least temporarily. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Tue, 27 Aug 2013 22:04:22 +0100 Wendy M. Grossman wen...@pelicancrossing.net wrote: On 08/27/2013 18:34, ianG wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? It's clear you're not a journalist or working in any other profession where you actually need to be able to communicate spontaneously with strangers. Of course, as a reporter, you are probably getting email addresses of people to talk to via referral, and that could be used to get past the barrier. The problem of people spontaneously contacting a published address is harder. I don't claim to have all the answers, but experimentation will probably tell us a lot more than simply thinking in the abstract. -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On Tue, 27 Aug 2013, Perry E. Metzger wrote: Say that you want to distribute a database table consisting of human readable IDs, cryptographic keys and network endpoints for some reason. Say you want it to scale to hundreds of millions of users. This sounds remarkably like a description of DNSSEC. Assuming it were widely deployed, would DNSSEC-for-key-distribution be a reasonable way to store email_address -- public_key mappings? -- -- Jonathan Thornburg jth...@astro.indiana.edu Dept of Astronomy IUCSS, Indiana University, Bloomington, Indiana, USA There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. -- George Orwell, 1984 ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On 8/27/13 7:48 PM, Perry E. Metzger wrote: On Tue, 27 Aug 2013 22:04:22 +0100 Wendy M. Grossman wen...@pelicancrossing.net wrote: On 08/27/2013 18:34, ianG wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? It's clear you're not a journalist or working in any other profession where you actually need to be able to communicate spontaneously with strangers. Of course, as a reporter, you are probably getting email addresses of people to talk to via referral, and that could be used to get past the barrier. And that's how friend-of-friend stuff is happening now (LinkedIn and the like). In a way the old-fashioned letter of introduction had a lot to recommend it. :-) Peter -- Peter Saint-Andre https://stpeter.im/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On 8/27/13 7:45 PM, Perry E. Metzger wrote: On Tue, 27 Aug 2013 21:33:01 + radi...@gmail.com wrote: Iang wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? tech.supp...@i.bought.your.busted.thing.com is one that comes to mind. i...@sale.me.your.thing.com is another. I think the types of prior whitelist only secure systems being discussed on-list here lately will in the long run win out with the lions share of messages, but that bog standard 'dirty' email will persist for commercial interactions of the type I list above. On the other hand, tech.support@sillycompany could just accept all contact requests, at least temporarily. Realistically they all have a web-based contact form these days anyway. Similarly, they all have live web-based chat systems that don't require opening up more broadly. HTTP is the new TCP and all that. For truly federated communication (BigRetailer wants its employees to exchange messages with smaller companies in its supply chain), a more open technology is needed, but we have those for email and IM. However, we're off-topic for what's truly important here: not enterprise email and IM, but secure technologies for individuals. Peter -- Peter Saint-Andre https://stpeter.im/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On Tue, 27 Aug 2013 19:57:30 -0600 Peter Saint-Andre stpe...@stpeter.im wrote: On 8/27/13 7:47 PM, Jonathan Thornburg wrote: On Tue, 27 Aug 2013, Perry E. Metzger wrote: Say that you want to distribute a database table consisting of human readable IDs, cryptographic keys and network endpoints for some reason. Say you want it to scale to hundreds of millions of users. This sounds remarkably like a description of DNSSEC. Assuming it were widely deployed, would DNSSEC-for-key-distribution be a reasonable way to store email_address -- public_key mappings? You mean something like this (email address -- OTR key)? https://datatracker.ietf.org/doc/draft-wouters-dane-otrfp/ My problem with the use of DNSSEC for such things is the barrier to entry. It requires that a systems administrator for the domain your email address is in cooperate with you. This has even slowed DNSSEC deployment itself. It is, of course, clearly the correct way to do such things, but trying to do things architecturally correctly sometimes results in solutions that don't deploy. I prefer solutions that require little or no buy in from anyone other than yourself. One reason SSH deployed so quickly was it needed no infrastructure -- if you controlled a single server, you could log in to it with SSH and no one needed to give you permission. This is a guiding principle in the architectures I'm now considering. -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On 8/27/13 7:47 PM, Jonathan Thornburg wrote: On Tue, 27 Aug 2013, Perry E. Metzger wrote: Say that you want to distribute a database table consisting of human readable IDs, cryptographic keys and network endpoints for some reason. Say you want it to scale to hundreds of millions of users. This sounds remarkably like a description of DNSSEC. Assuming it were widely deployed, would DNSSEC-for-key-distribution be a reasonable way to store email_address -- public_key mappings? You mean something like this (email address -- OTR key)? https://datatracker.ietf.org/doc/draft-wouters-dane-otrfp/ Peter -- Peter Saint-Andre https://stpeter.im/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Unsubscribe
Unsubscribe ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On Aug 27, 2013, at 9:41 PM, Perry E. Metzger wrote: On Tue, 27 Aug 2013 21:13:59 -0400 Jerry Leichter leich...@lrw.com wrote: I wonder if much of the work on secure DHT's and such is based on bad assumptions. A DHT is just a key/value mapping. There are two reasons to want to distribute such a thing: To deal with high, distributed load; and because it's too large to store on any one node. You've forgotten other reasons. One might want to avoid a single point of failure. And yet DHT's have completely failed at doing this. One might also want to avoid having any central organization responsible for running a database so that it cannot be shut down by an adversary without shutting down thousands or millions of nodes. Redundancy and validation of updates are issues separable from the implementation of the map and, in particular, from routing. DHT's try to combine all four and, as we've seen, fail. Just because it's possible to actually store the contents of a DHT in a single big database doesn't mean you'd actually want to do it that way. I'm suggesting that you start with the idealization of a single, secure database, then make the modifications needed to actually attain the necessary properties in the face of high distributed QPS, random failures, and a variety of attacks. I contend that the second has become a non-problem. That is untrue. Say that you want to distribute a database table consisting of human readable IDs, cryptographic keys and network endpoints for some reason. Say you want it to scale to hundreds of millions of users. A quick back of the envelope shows that no home user's little ARM based gateway machine is going to want to handle storing the entire database or handling the entire update traffic volume -- the latter alone might swamp someone even with quite reasonable connectivity. Why in the world would you want to put the information for even a million users on such a server. This would be a server that exists to provide services to at most a few 10's of people - probably fewer. How many users will they, personally, ever contact it their collective lifetimes? This is an ideal application for local caching of relevant information from the global database stored somewhere else. It might well, transparently, also contain mapping information that its own users received out of band and want to use - but have no reason to share globally. Even at the high end, what's today a fairly small, moderately powered system can handle this much data with no problems. I don't think so. Lets say you have a few hundred bytes per entry and a billion users. That's hundreds of gigabytes, far more than you can store on a thumb drive and an appreciable fraction even of today's hard drives. Furthermore, say that 1% of the entries update per day -- even at that low rate, you're going to swamp lots of people's internet transfer quotas. Again, why would individuals want to store that much data? The DHT model says that millions of Raspberry Pi's and thumb drives together implement this immense database. But since a DHT, by design, scatters the data around the network at random, *my* thumb drive is full of information that I will never need - all the information *I* need is out there, somewhere - where, based on the research we've been discussing, I have no secure way to get at it. Why would I buy into such a design? Doesn't it make much more sense for me to store the information relevant to me? It's not as if this isn't a design we have that we know works: DNS. Yes, DNS, even the secure versions, have security issues. But then so do DHT's, so they are hardly an improvement. And many of DNS's problems have to do with the assumption of a single hierarchy with, as a result, a small number of extremely trusted nodes up at the top. That's a problem that can be attacked. -- Jerry Perry -- Perry E. Metzger pe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On Tue, Aug 27, 2013 at 10:18 PM, Perry E. Metzger pe...@piermont.comwrote: On Tue, 27 Aug 2013 19:57:30 -0600 Peter Saint-Andre stpe...@stpeter.im wrote: On 8/27/13 7:47 PM, Jonathan Thornburg wrote: On Tue, 27 Aug 2013, Perry E. Metzger wrote: Say that you want to distribute a database table consisting of human readable IDs, cryptographic keys and network endpoints for some reason. Say you want it to scale to hundreds of millions of users. This sounds remarkably like a description of DNSSEC. Assuming it were widely deployed, would DNSSEC-for-key-distribution be a reasonable way to store email_address -- public_key mappings? You mean something like this (email address -- OTR key)? https://datatracker.ietf.org/doc/draft-wouters-dane-otrfp/ My problem with the use of DNSSEC for such things is the barrier to entry. It requires that a systems administrator for the domain your email address is in cooperate with you. This has even slowed DNSSEC deployment itself. How about the fact that the US govt de facto controls the organization controlling the root key and it is a single rooted hierarchy of trust? But in general, the DNS is an infrastructure for making assertions about hosts and services. It is not a good place for assertions about users or accounts. So it is a good place to dump DANE records for your STARTTLS certs but not for S/MIME certs. It is, of course, clearly the correct way to do such things, but trying to do things architecturally correctly sometimes results in solutions that don't deploy. I prefer solutions that require little or no buy in from anyone other than yourself. One reason SSH deployed so quickly was it needed no infrastructure -- if you controlled a single server, you could log in to it with SSH and no one needed to give you permission. This is a guiding principle in the architectures I'm now considering. I very much agree that deployment is all. One thing I would like to do is to separate the email client from the crypto decision making even if this is just a temporary measure for testbed purposes. I don't want to hack plugs into a dozen email clients for a dozen experiments and have to re-hack them for every architectural tweak. -- Website: http://hallambaker.com/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On Aug 27, 2013, at 9:48 PM, Perry E. Metzger wrote: On Tue, 27 Aug 2013 22:04:22 +0100 Wendy M. Grossman wen...@pelicancrossing.net wrote: On 08/27/2013 18:34, ianG wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? It's clear you're not a journalist or working in any other profession where you actually need to be able to communicate spontaneously with strangers. Of course, as a reporter, you are probably getting email addresses of people to talk to via referral, and that could be used to get past the barrier. The problem of people spontaneously contacting a published address is harder. Actually, it isn't, or shouldn't be. Email addresses were originally things you typed into a terminal. They had to be short, memorable, and easy to type. Published meant printed on paper, which implied typing the thing back in. But none of that matters much any more. Publication is usually on-line, so contact addresses can be arbitrary links. When we meet in person, we can exchange large numbers of bits between our smartphones. Hell, even a business card can easily have a QR code on the back. Suppose, as in Bitcoin, my email address *is* my public key. If you wanted to send me email, you'd have a routing problem - but I could even give you hints: My address would be leich...@lrw.com:public key. You can try there first, or you can look up my public key in some global dictionary. An attacker could get your mail to me to go to them, but they can't read it - you already know my public key, so only *I* can read it. The only attack they can mount is a denial of service. I can have any number of public keys, and all published routes to me may go through a mix - so I can minimize metadata leakage. The assumption that initial contact information has to be something human-processable creates the whole how do I securely map contact information to a key problem. Flip it around and that problem vanishes. -- Jerry I don't claim to have all the answers, but experimentation will probably tell us a lot more than simply thinking in the abstract. -- Perry E. Metzger pe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The DHT model says that millions of Raspberry Pi's and thumb drives together implement this immense database. But since a DHT, by design, scatters the data around the network at random, *my* thumb drive is full of information that I will never need - all the information *I* need is out there, somewhere - where, based on the research we've been discussing, I have no secure way to get at it. Why would I buy into such a design? Doesn't it make much more sense for me to store the information relevant to me? When we designed PNRP, I was pretty adamant to avoid this business of storing other people's data. We assumed that your data would be stored locally. The cost is a bit of added synchronization cost, effectively scaling as the number of records that have to be published. But if you are looking at a P2P name server type application, there are very few such records. Basically, the less nodes rely on strangers, the better. - -- Christian Huitema -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/ Charset: utf-8 iQEcBAEBAgAGBQJSHYReAAoJELba05IUOHVQuJsH/2W+6CLtc+IRjH/7ufNhlIx8 F8H30+vt3D1QxikluwKkzBB3HVxSiZL1N1z5z63Vvi9a+nIzuJPX8xNJf27tvvp7 gcHQqTz3J/Ffa2pX0fjtr83bpfBg+x27b7T4gBdbuN1KZ3sesQaHXWurCV2bz3Nb 9IDn2PYBOna+FXM/fMA8cpvElb+C6rEDvO0hcW1CVIxutt3yLICR3rAnyzhFQSUP 7MbnOZ7iSXRrmgvY3ukmI+OsAf9iOEavxdmgMYJJj1istyg1PMHcFH3MPoxggrfl 9ESTc1wiiZYsVF3r0SXf0DI08J8z7RXzJ/0WY9PUGgxQ49CEYgsq9ZSpUUfEm7Y= =4LGc -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Suppose, as in Bitcoin, my email address *is* my public key You can even use some hash compression tricks so you only need 9 or 10 characters to express the address as hash of the public key. That works very well, until you have to change the public key. - -- Christian Huitema -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/ Charset: utf-8 iQEcBAEBAgAGBQJSHYUrAAoJELba05IUOHVQkb0H/ixGQK+kLx+SYp1FRJB5UF/Y lEfP8UGt+FVUweq3N0OWG7JB4HJzg14+tLbYjpkq6tJdJJPdoyDUVX9NgNvHRwl0 ELB3xhpXtXUg1YbM+IPrGVHDJUp6oBMnM4LEjnT5UP9kSW3yrkm9tu7k3bo9Xq/i gShIWOZcWVCxsY4WI/RetfXvLI/xZQwczxBzmTcSfB8w7khvpyr98VW5PMeX6Uu1 VBEN4dZiUIjKvhN0HMGMZtDrfbWeXIvGYkA5OjTeAGDExt5C+nvB3BCb87pGf8NJ nTrRgLNJjU6hpD7giPD0SgLOe9uye5DXrUyOwSmHGCgqZjj/P07+i/nyJczwZ48= =iZk1 -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
