Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
On 2014-07-11 07:45, Kevin wrote: On 7/10/2014 4:39 PM, John Young wrote: https://blog.silentcircle.com/why-are-we-competing-with-phone-makers-skype-and-telecom-carriers-all-in-the-same-week/ With silent circle, when Ann talks to Bob, does Ann get Bob's public key from silent circle, and Bob get Ann's public key from silent circle. If they do it that way, silent circle is a single point of failure which can, and probably will, be co-opted by governments. If they don't do it that way, how do they do it. Obviously we need a hash chain that guarantees that Ann sees the same public key for Ann as Bob sees for Ann. Does silent circle do that? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 11/07/14 11:27, James A. Donald wrote: On 2014-07-11 07:45, Kevin wrote: On 7/10/2014 4:39 PM, John Young wrote: https://blog.silentcircle.com/why-are-we-competing-with-phone-makers-skype-and-telecom-carriers-all-in-the-same-week/ With silent circle, when Ann talks to Bob, does Ann get Bob's public key from silent circle, and Bob get Ann's public key from silent circle. For phone calls they use ZRTP, so Ann and Bob can verbally compare short authentication strings after the key exchange to detect a MITM, *if* they know each other's voices and their voices can't be faked. ZRTP carries keying material forward from one session to another so it isn't necessary to do this every time. For messaging it's the same, except the verbal confirmation happens out-of-band. The protocol spec seems to have been taken offline recently, but it's archived here: https://web.archive.org/web/20140125121552/https://silentcircle.com/static/download/SCIMP%20paper.pdf Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJTv8ORAAoJEBEET9GfxSfMZmoH/1ip9AmkhY+bVLtgpgYTOjrp SRSgFIzaeGocGnMyBz1cgcxOaDOSNOATc8IpbhSVvmJue1VD43VlCv6Fvdwe0pid nOBX/ZMY35hlil9Kte/STcDQDt6E3AYiaFlIXXVyU7y/35K2J6629fixPJc5yPVB rHy1ew0HqvQFWfiztYK/fxptuWu81UAh9HIL3A9j1/N0eX1EpaKBgUFWRTzD/4Id XSckanVjQ34JTJNuC0UbLXY7sz8ljSeFI3dGQQEFliODYNhy5eWn7JkL9oOj26AM KcSdAp85KF6f7rRE36QC5NroS9iiDWzgcXLOy/cHgmH3uODWOA70vy1GxjYbhxQ= =uakY -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
On 11/07/2014 11:27 am, James A. Donald wrote: On 2014-07-11 07:45, Kevin wrote: On 7/10/2014 4:39 PM, John Young wrote: https://blog.silentcircle.com/why-are-we-competing-with-phone-makers-skype-and-telecom-carriers-all-in-the-same-week/ With silent circle, when Ann talks to Bob, does Ann get Bob's public key from silent circle, and Bob get Ann's public key from silent circle. If they do it that way, silent circle is a single point of failure which can, and probably will, be co-opted by governments. If they don't do it that way, how do they do it. Obviously we need a hash chain that guarantees that Ann sees the same public key for Ann as Bob sees for Ann. Does silent circle do that? While I'm interested in how they're doing that, I'm far more interested in how Ann convinces Bob that she is Ann, and Bob convinces Ann that he is Bob. We left the OpenPGP/cert building a long time ago, we need more than just 1980s PKI ideas with elegant proofs. If they haven't got an answer to that question, then I'd wonder if the product is a throwaway for real security purposes. (By throwaway, I mean the drug dealer's trick of using each phone/sim for one call, then dropping it in the river.) iang ps; John's point is well taken. We don't have a way to escape success being targetted. We don't have a way to pay for many small enclaves with their own tech. We're stuck in a rocky business. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] hashes based on lots of concatenated LUT lookups
It's hard to make a cryptocurrency hash that's ASICproof. Cheap/multisource serve/PC COTS hardware has large memory size, and intrinsic random access latencies that can't be much improved upon for physical reasons (embedded memory is limited in size due to die yield reasons, so large LUTs are always much slower than embedded memory). As such any hash that needs lots of serial/concatenated lookups on large (several GByte), random (same preparation as one-time pads) memory-locked LUTs to compute is ASIC/FPGA/GPU-proof since it can't be parallized without replicating the expensive LUT. Dedicated hardware LUT doesn't have price advantages over COTS-based LUT, though at very large scales LUTs requiring no refresh are more energy-efficient. LUT size can be variable to track technology improvements. Distribution of several GByte LUT across participating nodes is not too difficult with P2P protocols (Bittorrent Co) as it only happens once on bootstrap. Memory-bound code, especially if run at low priority does not make end user all-purpose (ASIC is intrinsically special-purpose) hardware unusable for other tasks the way GPU mining is. How would you construct such a hash? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
On 2014-07-11 20:59, Michael Rogers wrote: For phone calls they use ZRTP, so Ann and Bob can verbally compare short authentication strings after the key exchange to detect a MITM, *if* they know each other's voices and their voices can't be faked. ZRTP carries keying material forward from one session to another so it isn't necessary to do this every time. For messaging it's the same, except the verbal confirmation happens out-of-band. The protocol spec seems to have been taken offline recently, but it's archived here: https://web.archive.org/web/20140125121552/https://silentcircle.com/static/download/SCIMP%20paper.pdf If it takes more than one click, end users are not going to do it. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
ianG i...@iang.org writes: On 11/07/2014 11:27 am, James A. Donald wrote: On 2014-07-11 07:45, Kevin wrote: On 7/10/2014 4:39 PM, John Young wrote: https://blog.silentcircle.com/why-are-we-competing-with-phone-makers-skype-and-telecom-carriers-all-in-the-same-week/ With silent circle, when Ann talks to Bob, does Ann get Bob's public key from silent circle, and Bob get Ann's public key from silent circle. If they do it that way, silent circle is a single point of failure which can, and probably will, be co-opted by governments. If they don't do it that way, how do they do it. Obviously we need a hash chain that guarantees that Ann sees the same public key for Ann as Bob sees for Ann. Does silent circle do that? While I'm interested in how they're doing that, I'm far more interested in how Ann convinces Bob that she is Ann, and Bob convinces Ann that he is Bob. We left the OpenPGP/cert building a long time ago, we need more than just 1980s PKI ideas with elegant proofs. Note there's a philosophical issue here. A very good actress could convince Bob that she's Ann no matter how high the bandwidth of their communication, such as intimate body contact. The only individual in the universe who is qualified to authoritatively deny the actress' claim is Ann. To convince Bob, she needs something the actress cannot have, such as the password to her encryption key. -- -- StealthMonger Long, random latency is part of the price of Internet anonymity. Key: mailto:stealthsuite nym.mixmin.net?subject=send%20stealthmonger-key pgpO65XFNlHIm.pgp Description: PGP signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] hashes based on lots of concatenated LUT lookups
Dear Eugen: There have been several experiments in this direction, using memory-hard proofs-of-work. For example, this was the motivation for Litecoin (https://en.wikipedia.org/wiki/Litecoin) to use scrypt in its Proof-of-Work. To my knowledge, the state-of-the-art design is John Tromp's Cuckoo PoW: https://github.com/tromp/cuckoo In my opinion, this is a promising direction to take. It might still succumb to centralization-of-mining in the long-term, but maybe not. There's a possibility it would settle into an economic equilibrium in which independent/hobbyist/small-time mining is sufficiently rewarding, but customized, large-scale, vertically-integrated mining is not rewarding enough to justify its costs. Among anti-mining-centralization techniques that I've studied, this is the only one that is easy to implement in the near-term, and doesn't come with too many complications and risks for near-term deployment. For the contrarian view, arguing that ASIC-resistance is either undesirable and/or impossible, see this whitepaper by andytoshi: http://download.wpsoftware.net/bitcoin/asic-faq.pdf . I disagree with the conclusions, but it makes some good arguments. For a survey of state-of-the-art ideas about Proof-of-Stake — ideas which *aren't* easily implementable and which *do* come with complexity, uncertainty, and risk — see Vitalik Buterin's latest opus: https://blog.ethereum.org/2014/07/05/stake/ . That guy is a good thinker and writer! And he appears to have been reading my mind. As well as adding in a bunch of ideas that were not in my mind, from such sources as http://eprint.iacr.org/2014/452.pdf . Regards, Zooko ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
On 07/11/2014 04:23 PM, StealthMonger wrote: While I'm interested in how they're doing that, I'm far more interested in how Ann convinces Bob that she is Ann, and Bob convinces Ann that he is Bob. We left the OpenPGP/cert building a long time ago, we need more than just 1980s PKI ideas with elegant proofs. Note there's a philosophical issue here. A very good actress could convince Bob that she's Ann no matter how high the bandwidth of their communication, such as intimate body contact. Besides getting the timing of your MitM right, attacking ZRTP requires to mimic _both_ persons' voice. So you need (at best) more than one Eve that mimic Bob and Alice at the right time by speaking out some words displayed on the phones. I am leaving out all the details of Hash Commitments before ZRTP's DH etc, because they are not relevant here. There is a new somewhat related paper presented here on SOUPS about mimicing voice: https://www.usenix.org/system/files/conference/soups2014/soups14-paper-panjwani.pdf The next question here is how the implementation handles that verification. Does the implementation a) ask to cancel the call if something seems wrong or b) does it prevent you from proceeding by asking you is the spoken word equals the displayed and sounds the voice like Bob? yes/no. I don't know of any app that implements b), but I haven't tested SilentCircle's apps. I personally think that people will _not_ cancel the application without being explicitly ask to do so, even when the words do not sound like being said by your friend Bob. Conclusively, I think ZRTP is a nice approach, but thinking of your average Jonny: He will not cancel the conversation just because the voice sounds strange (only when the verification words were spoken, maybe the voice quality was just bad...) Regards Dominik signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography