cryptoIDs
Trevor Perrin
trevp at trevp.net
Thu Oct 16 05:53:30 EDT 2003
Hi cryptography,
I haven't posted here much, but I've got an idea I'd like to try to win
some converts / draw some criticism for. There's a paper, code, and other
stuff here: http://trevp.net#cryptoID. Here's the gist:
The goal is a system for encrypted & authenticated person-to-person
communications (email, voice, IM, etc.). It should be simple for people to
use, and easy for developers to plug into everything.
Such a system would address two problems:
- public-key distribution (how does Bob get Alice's public key)
- private-key management (how does Alice deal with her private key - keep
it secure yet accessible, recover from compromise, etc.)
The PKI approach is to use certs for the 1st, and, I guess, smartcards for
the 2nd. Instead, I think people should use fingerprints for the 1st and
certs for the 2nd.
Fingerprints would work well for key distribution since they're small
pieces of data, like phone numbers or email addresses. Users already know
how to handle these by exchanging them on business cards, writing or
speaking them, looking them up in directories, etc.. Similarly, software
already has address books to store these things, so it would be easy to add
another field for the fingerprint. Software would inform you when
something authenticates to a known fingerprint (a blinking indicator next
to a "pet name"[1], for example) .
One problem: fingerprints are large, thus not very user-friendly. But that
can be fixed, somewhat: if you use the "hash extension" technique from [2]
and base32 encoding, you can get 20 character fingerprints with a
reasonable security level (for example: to generate a fingerprint with a
security level of 120 bits requires a computation of ~15 seconds; if talk
of "generating" a fingerprint sounds strange see [2] or [3]). These
fingerprints (call them "cryptoIDs") would look like:
erbtr.isnx6.4fcuj.5yymj
frqtp.3jbrt.ukued.ngwwe
Not as short as one would like, but much better than the usual hex-coded
SHA-1. There's other problems with doing things via fingerprint, but
you'll have to see the paper - I'm trying (though failing) to be brief :-).
Anyways, for private-key management people should use certs - store your
root key (i.e. the key that matches the fingerprint) in a safe place (for
most people, this would be with their employer or a commercial service; but
the security-conscious can do whatever they want). Then have your root-key
issue you short-lived certs for use on your cell-phone, email client, web
browser, etc..
You could use PGP subkeys, X.509 proxy certs, or SPKI certs for this. But
all of them are either excessively complicated for this, lacking in
features, or both. So I designed a certificate format just for private-key
management. It's SPKI-like but a little simpler and I think does a couple
things better.
I'm eager for feedback, off-list or on. Nothing here is that novel, but to
me this seems a powerful, yet fairly simple, blend of techniques.
Trevor
[1] http://www.erights.org/elib/capability/pnml.html
[2] http://research.microsoft.com/users/tuomaura/CGA/
[3] http://trevp.net/cryptoID/cryptoID.html#3.3.1
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list