[cryptography] preventing protocol failings

James A. Donald jamesd at echeque.com
Sat Jul 23 00:06:04 EDT 2011


On 2011-07-23 7:29 AM, Marsh Ray wrote:
 > What does the user see when they *are* under attack and the
 > server authentication step fails?

Then his task fails.

 > How do the security properties change when the user clicks
 > on a link in a phishing email?

A phishing email is normally phishing for shared secrets.
Don't use shared secrets - recall our previous discussion
about EKE.

More generally, when someone contacts me on skype, they can never 
successfully pretend to be one of my existing contacts.  Why should 
someone who contacts me by email be able to pretend to be one of my 
existing contacts?

 > The design says
 >> A webkey is the moral equivalent of a password, but one
 >> the user treats as a bookmark and that controls access to
 >> a specific object
 >
 > So what do you do when one of these webkey passwords
 > eventually does get disclosed? Can you revoke it or is is
 > equivalent to the name of the document?

Let us suppose that everything in network - users, mutable
files, and immutable files and anything else of interest, is
identified by zooko's triangle.

Then you cannot revoke the globally unique name of the
document, which is both its decryption key, and the means by
which it is to be found.  You could however delete the
document, and issue a new trivially different document -
differing perhaps only in being version 1.1 in place of 1.0.

 > How do you specify "what file" without an existing server
 > authentication infrastructure?
 >
 > How do you specify "who" without presuming an existing user
 > identity and authentication infrastructure?

We already identify users, documents, and web addresses by
lengthy and not very intelligble globally unique names.  For
example the contacts list of your email program has short,
non unique names for these contacts, and longer, less
memorable, globally unique names.  Similarly for the
bookmarks in your browser.

Why should these not contain keys, or hashes of keys?



More information about the cryptography mailing list