[Cryptography] Thoughts about keys

Perry E. Metzger perry at piermont.com
Mon Sep 2 14:10:14 EDT 2013 

On Mon, 2 Sep 2013 19:53:03 +0200 Faré <fahree at gmail.com> wrote:
> On Mon, Sep 2, 2013 at 7:19 PM, Perry E. Metzger
> <perry at piermont.com> wrote:
> > On Mon, 2 Sep 2013 03:00:42 +0200 Faré <fahree at gmail.com> wrote:
> >> >> At intervals, the trustworthy organization (and others like
> >> >> it) can send out email messages to Alice, encrypted in said
> >> >> key, saying "Hi there! Please reply with a message containing
> >> >> this magic cookie, encrypted in our key, signed in yours."
> >> >>
> >> The cookie better not be a a value that the organization can
> >> skew with its own "random" source, but be based on a digest of
> >> consensual data, such as the date (with sufficiently coarse
> >> resolution), the top of the consensual database (if any),
> >> public weather measurements from previous day, etc.
> >
> > I don't understand why. The security requirement is that third
> > parties must *not* be able to predict the token, because then they
> > could sign the token without controlling the email address. The
> > only organization that can know the cookie is actually the
> > organization sending the cookie out. You appear to have inverted
> > the security requirement...
> >
> In my scheme, no one can predict it, everyone can postdict it,
> *after* the "trusted" organization published its salt, at which
> point it's too late to send it signed confirmations.
> Therefore, neither side can cheat.

I don't see what threat this averts. If the sending organization is
cheating, this does not stop them from pretending that they received
a signed cookie in a round trip. It just seems to add complexity. The
only interesting form of cheating I can think of is pretending a
round trip existed when it did not.

> In particular, the "trusted" organization has precious little power
> to extract information by handing users carefully crafted cookies.

I don't see how that is an issue either, unless you are referring to
chosen plaintext attacks, but the encryption format had better
already defend against those.

> For even less power, the organization can publish digests of its
> salts years in advance.

Again, I don't understand the threat being defended against. Can you
articulate exactly what was possible before that is not possible in
the scheme you propose?

Perry
-- 
Perry E. Metzger		perry at piermont.com

More information about the cryptography mailing list