Dutch Transport Card Broken

James A. Donald jamesd at echeque.com
Mon Feb 4 17:17:32 EST 2008


Nicolas Williams wrote:
 > Sounds a bit like SCTP, with crypto thrown in.

SCTP is what we should have done http over, though of
course SCTP did not exist back then.  Perhaps, like
quite a few other standards, it still does not quite
exist.

 > I thought it was the latency cause by unnecessary
 > round-trips and expensive key exchange crypto that
 > motivated your proposal.  The cost of session crypto
 > is probably not as noticeable as that of the latency
 > of key exchange and authentication.

The big problem is that between the time one logs on to
one's bank, and the time one logs off, one is apt to
have done lots and lots of cryptographic key exchanges.
One key exchange per customer session is a really small
cost, but we have a storm of them.

Whenever the web page shows what is particular to the
individual rather than universal, it uses a session
cookie, visible to server side web page code.
Encryption, the bundle of shared secrets that enable
encrypted communications, should be visible at that
level, should be a session cookie characteristic rather
than a low level transport characteristic, should have
the durability and scope of a session cookie, instead of
the durability and scope of a transaction.

Because we use encryption merely at a level where it is
logically transient, because it protects transactions
rather than relationships, the connections are too
costly, and fail to provide the information about
relationships that are needed to protect the user.

If we had implemented http over something like SCTP,
then an SCTPlike connection value should have been a
cookie.  One should have been able to look at the
SCTPlike connection value in the server side page code,
and be pretty sure that if the person is the same, the
connection value will be unchanged, so that one could
then associate additional state with the connection
value - encryption being some more state.

Encryption parameters have more in common with session
cookies than with transactions.  They should be about
relationships, not data transport.

If encryption setups were made and discarded only as
often as session cookies, not so costly.  It is making
them and discarding them as often as transactions that
hurts. Also, the fact that they are so frequently
discarded means that scope information is unavailable to
secure relationships, means we cannot provide useful
information to the end user about who he is really
talking to, because the encryption does not know about
relationships, even though encryption should be about
relationships.

With encryption merely at the transactional level, the
browser can know the true name of website you are
looking at, that being merely a page property, but
cannot know what relationship you think you are
participating in.  To provide security, client side
code, browser chrome, needs to know not the true name of
the web site, but if you are at a web site where you
have user name or durable user ID.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list