[147049] in cryptography@c2.net mail archive
Re: [Cryptography] Squaring Zooko's triangle
daemon@ATHENA.MIT.EDU (Guido Witmond)
Wed Sep 11 18:08:57 2013
X-Original-To: cryptography@metzdowd.com
Date: Thu, 12 Sep 2013 00:04:14 +0200
From: Guido Witmond <guido@witmond.nl>
To: cryptography@metzdowd.com
In-Reply-To: <CAEqjXi=RGthxZa+MzXx6y=6GPCWX1ODd5DJrwfsr8NAttRPTdg@mail.gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============7757301671026808226==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="----enig2WORBBGLLQFFBRLGAJHPG"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
------enig2WORBBGLLQFFBRLGAJHPG
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 09/11/13 13:23, Paul Crowley wrote:
> From the title it sounds like you're talking about my 2007 proposal:
>=20
> http://www.lshift.net/blog/2007/11/10/squaring-zookos-triangle
> http://www.lshift.net/blog/2007/11/21/squaring-zookos-triangle-part-two=
>=20
> This uses key stretching to increase the work of generating a colliding=
> identifier from 2^64 to 2^88 steps.
Hi Paul,
Reading your blog, you've came up with a way to encode a public key into
a much more memorable string of words. Although the user is not free to
choose the name. I go a bit furhter in that direction.
In Eccentric Authentication, the usernames (nicknames) are composed of a
domain name and an account name. Just like email addresses. The domain
name is given by the site, the account name is your choice. As long as
it is unique for the site. (There can be a foo at google, a foo at
gmail, a foo at yahoo). Just as people expect email addresses to be
unique too.
To create a full name, the user chooses a site and opens an account
there. The account name is free to choose by the user (subject to
availabilty and site rules). If the requested account name is not yet
given, the sites' local CA signs the name (and the users' public key)
into a client certificate.
You can use this certificate to log in at the site, but also to encrypt
and sign messages.
To make names Zooko-proof, you need to make sure that once a name is
given (bound to a value), it cannot be changed anymore.
For that I use a form of Certificate Registry for logging. Once you've
acquired a client certificate, you send it to the registry. It stores
the certificate keyed by it's full name. Ie, anyone can lookup the name
at the registry and retrieve your certificate.
This registry protects against man in the middle attacks. When you
encounter a signed message somewhere, you lookup the certificate in the
registry. You should expect a single answer, namely, the certificate
that matches the signature on the message.
If you receive the matching certificate, it is proof that the full name
is unique and that the public key in the certificate can be used.
If you receive a single answer with a different certificate, you know
that someone is trying a mitm between you and the other party.
You submit the one that you've discovered to the registry so it will be
there for everyone to see.
If there are multiple certificates (bearing that same full name) signed
by the same CA, it's them who became dishonest. The protocol explicitly
calls the site Dishonest.
If there are multiple entries bearing the same name but from different
CA's, there has been a DNSSEC registry hack. The site should change
DNSSEC-registrar. And the key is useless.
In general, every once in a while you check that your name is still
unique, just to make sure that the site keeps its requirement to hand
out each name only once.
You also check out the names of new communication partners, just before
and slightly longer after first contact. When you still only find your
and their names with the expected nickname, there has been no mitm and
you have validated that persons public key. (As described in my blog
"The Holy Grail of Cryptography" [0]. You can keep using this persons
public key, even if the site gets compromised later. Just add it in your
address book.
I hope it has become clear how I square the triangle. Feel free to point
out omissions, request clarifications.
With kind regards, Guido Witmond
0: http://eccentric-authentication.org
------enig2WORBBGLLQFFBRLGAJHPG
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/
iQIcBAEBAgAGBQJSMOjeAAoJEHPd8GglaNRm5N8P/j5rwqL4/x0Zvk+5PfyegfEJ
CATp8V1rB+Mo5zS4YoWrWZU2OpHyU9D53JtSurbhjgGrYuV4klthehPBHJCQa2Cc
2HAy0IJSC2RG4a5aQCV9GsaJqAklaj5rWYZSO8+2rerFz0Fp3uN+liggtkKnTSDs
CNKpYfvCrvIavsjIwjN3vxNsZPmmqbBmXg9XmG8ABUKnHVbh4CSWc9wbe05oCqqT
XXBzxZEKNcke7r5EeWoQiP6RwAGJQdIlXIw7ss1Hf5zLm+/9mrgK8wfCo1oYT7tT
uCypN/FwZWzeFV7T1dQmqFHrORByEaybJbJfIlFe+PChBS0ujSsL6yrhHyO/XD9s
5i+zcc/+GuvPx4FaAZrJov+Rm4u21xBiR1Ms08CP3b6kx53EHUBMPl1e8qt7590Q
1bPHjT6AGXMlsViWLzsOnE0SDly6RgbARWW/3Iizm1PWBIdcP0ThHLnig1hGLvbm
364dQFTdIiV+lQoih1F2DpEU6mullMdPJZ/jFI+EYrqRVUi1U1jv74+2uulZO82g
vJYqYoJ6bhNquzWk/cYiMQ3rupM2NN+od3Gokwa3LCa5Yohd50Ee5rXfN1TBdp6z
rvQzam1eWfBX/AbjxDO/0LN+juOCQMo3mS/cSWwqZ1Ng7n2FW8CtRZSKlNEfdDf+
GDvniFEwoimr6N4vAAgs
=tRgt
-----END PGP SIGNATURE-----
------enig2WORBBGLLQFFBRLGAJHPG--
--===============7757301671026808226==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============7757301671026808226==--
