public-key: the wrong model for email?

Anne & Lynn Wheeler lynn at garlic.com
Fri Sep 17 11:11:05 EDT 2004 

At 05:35 PM 9/16/2004, Adam Shostack wrote:
>Generate a key for "unknown-recipient at foocorp.com" encrypt mail to
>Bob to that key.  When Bob shows up, decrypt and send over ssl.


note there is still the issue of knowing it is bob ... whether before the 
"transmission" or after the "transmission" .... and, in fact, the 
"transmission" itself is somewhat arbitrary.

in the physical world ... the base point is that the sender pays to 
physically transmit something. there is threat model of taking physical 
possession of whatever is being transmitted. they then pay extra for 
countermeasures wrong person taking physical possession. they also pay 
extra for extra care in delivery to the correct person.

the current electronic world ... the base point is that the sender doesn't 
actually pay per transmission. with encryption, the threat model is changed 
to possession of the unencrypted information. encryption (shared-secret or 
digital signatures) is also used to help with the issue of "delivery" to 
the correct person (although the convention is converted to the correct 
person decrypts the data).

so what is the difference between the sender setting up facility so that 
"when bob shows up" .... bob gets a decrypted version .... and say sending 
a version to some trusted 3rd party that is encrypted with the 3rd party's 
key ... and direction to only let bob have it when bob shows up. how does 
the 3rd party know its bob ... any better than the originating sender? note 
also in standard ssl ... the recipient generates a random symmetric key and 
sends it to the server, encrypted with the server's public key. there is 
nothing about how the server knows that the bob making the contact ... and 
the bob that is suppose to receive the information .... is the same entity.

so the 3rd party keeps the pre-transmitted encrypted stuff with directions 
to only give it to any entity that shows the magic something (the movie 
stuff about tearing a bill in half and the person needs to have the 
appropriate torn half).  the 3rd party holds it until bob contacts the 
sender and gets the magic something ... which they they can give to the 3rd 
party. given the nature of electronic transmission ... is that really 
substantially different than the sender waiting until bob contacts them 
before doing the original transmission.

if it is purely electronic world ... how does the sender get the necessary 
information to the correct bob ... so that the correct bob can give the 
stuff to the 3rd party ... to proove that they are the correct bob.

so possibly the only distinction ... is that the email communication 
between bob and the sender is non-real-time ... and the SSL communication 
is considered possibly real-time .... so the scenario isn't actually the 
information being transmitted between the sender and bob that is the issue 
... it is possibly the mechanics of real-time vis-a-vis non-realtime?

so the sender at some point has to trust bob's authentication information 
(whether directly and/or outsourced to 3rd party) ... say digital signature 
public key and may or may not trust that same key for encryption.

common pgp flow ... which effectively is the same as ssl ....  same process 
steps ... but possibly not in real time. sender looks up in some directory 
the contact information for bob,
this directory is trusted to map the contact process for bob to bob .... 
the directory may or may not also provide some authentication information 
for bob.  if the sender doesn't have authentication information for bob ... 
they send message to bob requesting authentication information. when they 
get that back, they vet the authentication information before using it to 
make sure it is actually for bob. so now they have a process which has some 
assurance of contacting bob and some assurance that bob can be authenticated.
this is pretty much true whether the actual sender is responsible for the 
steps or has been outsourced to some 3rd party.

now the issue is wether or not the authentication information is also 
trusted to securely protect the classified information during transmission 
(aka public key).  possible scenario if sender  requires different 
encryption keys from authentication information:

1) sender sends message to bob saying classifed document is waiting. bob 
generates secret key, digitally signs it, encrypts it with the senders 
public key and returns it to the sender. this could be all email exchange 
... or possibly combination of email and ssl .... it could also be directly 
with the sender or a 3rd party agent on the sender's behalf.

2) the sender decrypts bob's message, validates the digital signature, 
encrypts the classified information with bob's secret key and sends the 
information to bob. the sender's process can be email or ssl ... and can 
either directly be the sender ... or a 3rd party acting on the sender's behalf.

for efficiency purposes .... the acquisition of bob's authentication 
information and possible encryption key might be collapsed into single 
round trip. sender (or 3rd party on sender's behalf) send bob a message 
that they need both bob's authentication information .... as well as a 
digitally signed, randomly generated secret key ... which is encrypted with 
the supplied public key. the sender/3rd party then has to vet bob's 
authentication information .... before using the randomly generated secret 
key. again, the exchange could be purely non-real-time email .... or 
combination of email and real-time ssl.

sort of practical issues:

given that the electronic paradigm have enuf differences from the physical 
world sending model (i.e. sender doesn't pay in the base case) .... can 
sender's be induced to pay 3rd party to outsource some of the operations?

given that the there are some number of other vulnerabilities and exploits 
in the overall infrastructure .... is the treat model specifically to 
trusting bob's public key for both authentication and confidential 
transmission .... sufficient to impose the extra processes (and/or convince 
sender's that they need to pay extra money for outsourcing to 3rd parties).

since the paradigm issue of securely transmitted has changed from secure 
physical movement to safe encryption .... a 3rd party may only have to 
provide a business of assuring recipients'  public keys for "safe" 
transmission (as opposed to actually doing the transmission). everybody 
gets to generate their own public/private key pair for authentication. the 
same key pair is not used for both authentication and encryption. people 
may also generate their own encryption key pair.

senders either trust a recipient's encryption key pair ... or they don't. 
if the sender doesn't trust a recipient's encryption key pair .... they ask 
for a encryption public key that has been issued by a trusted 3rd party ... 
and for which the 3rd party is willing to attest to. there is an issue of 
how the issued private key has gotten to the recipient ... but that isn't a 
whole lot of difference than the process of a recipient exchanging a real 
secret key for transmission. there is an issue of whether or not the 
recipient has continued to protect the encryption private key .... but that 
isn't a whole lot difference than whether or not the recipient has the 
facility to protect the unencrypted classified document (once they receive it).

the physical world has the sender outsourcing and paying for the actual 
secure physical movement .... and some assurance that it only goes to the 
intended recipient. translated to the electronic world ... the paradigm has 
been changed to the use of encryption to make sure wrong people don't have 
the unencrypted version ... and various kinds of authentication processes. 
so the critical processes has changed not from the actual movement of the 
data ... but the encryption process "gatekeepers" .... aka the integrity 
and management of keys used for authentication and decryption. so rather 
than focus on the actual electronic transmission processes .... focus on 
the issues related to the keys.

--
Anne & Lynn Wheeler    http://www.garlic.com/~lynn/ 


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list