[Cryptography] Thoughts about keys

Faré fahree at gmail.com
Mon Sep 2 13:53:03 EDT 2013 

On Mon, Sep 2, 2013 at 7:19 PM, Perry E. Metzger <perry at piermont.com> wrote:
> On Mon, 2 Sep 2013 03:00:42 +0200 Faré <fahree at gmail.com> wrote:
>> >> At intervals, the trustworthy organization (and others like it)
>> >> can send out email messages to Alice, encrypted in said key,
>> >> saying "Hi there! Please reply with a message containing this
>> >> magic cookie, encrypted in our key, signed in yours."
>> >>
>> The cookie better not be a a value that the organization can
>> skew with its own "random" source, but be based on a digest of
>> consensual data, such as the date (with sufficiently coarse
>> resolution), the top of the consensual database (if any),
>> public weather measurements from previous day, etc.
>
> I don't understand why. The security requirement is that third
> parties must *not* be able to predict the token, because then they
> could sign the token without controlling the email address. The only
> organization that can know the cookie is actually the organization
> sending the cookie out. You appear to have inverted the security
> requirement...
>
In my scheme, no one can predict it, everyone can postdict it,
*after* the "trusted" organization published its salt, at which point
it's too late to send it signed confirmations.
Therefore, neither side can cheat.
In particular, the "trusted" organization has precious little power
to extract information by handing users carefully crafted cookies.
For even less power, the organization can publish digests of its salts
years in advance.

>> Then, each user can just broadcast his signature
>> of the previously unpredictable consensual data,
>> and various timestamping organizations can sign messages that say
>> "yes, I saw that at this time",
>> maybe charging some tiny usage fee in the process.
>
> But then *anyone* could broadcast the token because anyone could have
> predicted it.
>
You can't broadcast the signed token unless you have the user's key.
And sure, you can claim that you saw the signed token before the deadline,
but unless you got a tree the hash of which was published as an ad
in a reputable print institution, what value has your word?

> It is difficult to make the interchange of the token and the reply
> itself widely witnessed -- the way around that is to have many
So, to cheat, you need both the user's key and the trusted organization's
complicity. Or to have broken the digest, of course.

> organizations doing the interchanges so that one would have to suborn
> all of them.
>
Interchange is expensive.
Hopefully, you only need to reply to a handful of them every so many months.

—♯ƒ • François-René ÐVB Rideau •Reflection&Cybernethics• http://fare.tunes.org
The most exciting phrase to hear in science, the one that heralds new
discoveries, is not "Eureka!" (I found it!) but "That's funny ..."
                — Isaac Asimov

More information about the cryptography mailing list