<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Feb 8, 2017 at 9:26 AM, Joseph Kilcullen <span dir="ltr"><<a href="mailto:kilcullenj@gmail.com" target="_blank">kilcullenj@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div class="m_979164511051619840moz-cite-prefix">Yes, I agree with all this. I figure this solution will force the
phishers into the Certificate Authority domain. Force them to up
their game. Right now they don't need any TLS certificate. Also,
while I agree with your stories I hate a good solution being
dismissed because there are idiots out there. In my opinion proper
cryptographers should see the simplicity of this solution. The
responses I've got so far are very helpful because they indicate
people are just not reading my paper.<br></div></span>
<br>
They look at the picture and assume its SiteKey, which it is not!<br>
<br>
Thanks<br>
</div>
</blockquote></div><br></div><div class="gmail_extra">Good solutions are almost universally dismissed. The trick is to ignore the negative feedback and keep inventing new ideas, both good and bad.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Here's a story that highlights this in crypto. An undergrad student at UC Berkeley in the 1970's took a crypto class which required that each student pick a class project to implement during the course. This student came up with the following idea for a class project:</div><div class="gmail_extra"><br></div><div class="gmail_extra">- Alice and Bob want to communicate, but Eve sees every message that Alice and Bob send each other.</div><div class="gmail_extra">- Alice encrypts 1,024 strong keys (back then a strong key was 64 bits long), using random weak keys that are only 20 bits. The encrypted strong keys are MACed so that you can figure out when you've found the right 20-bit weak key.</div><div class="gmail_extra">- Alice sends the encrypted strong keys to Bob</div><div class="gmail_extra">- Bob picks one at random and guesses the weak 20-bit key to get the strong 64-bit key. This takes about 500,000 attempts to guess the weak key on average.</div><div class="gmail_extra">- Bob sends a message back to Alice, saying "I am using this key", encrypted with the strong key that Bob decrypted.</div><div class="gmail_extra">- Alice tries all 1024 strong keys that she generated, finds the correct one, and starts communicating with Bob using that strong key.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Eve sees all 1024 encrypted keys, but does not know which one Bob picked, so Eve has to crack on average 500 of them before she finds the one Bob picked. Assuming Eve has only similar compute power to Bob and Alice, Eve will most likely be kept out of the conversation for the time it takes to do 500,000,000 decryption attempts, probably hours or days.</div><div class="gmail_extra"><br></div><div class="gmail_extra">This scheme is the first publicly known public key cryptography, though the NSA claims they invented it first. The student invented public key crypto for an undergrad class project. It eventually revolutionized the entire field.</div><div class="gmail_extra"><br></div><div class="gmail_extra">The professor rejected the student's proposal, saying, "That's not how crypto is done." The student was so upset that he dropped the class and forgot about crypto entirely until he was in grad school at Stanford. That student was Ralph Merkle, and his invention is called <a href="https://en.wikipedia.org/wiki/Merkle's_Puzzles">Merkle Puzzles</a>. He's credited as the inventor of public key cryptography, among several other incredible inventions.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Bill</div></div>