[Cryptography] Thoughts about keys

Perry E. Metzger perry at piermont.com
Mon Sep 2 14:10:14 EDT 2013

On Mon, 2 Sep 2013 19:53:03 +0200 Faré <fahree at gmail.com> wrote:
> On Mon, Sep 2, 2013 at 7:19 PM, Perry E. Metzger
> <perry at piermont.com> wrote:
> > On Mon, 2 Sep 2013 03:00:42 +0200 Faré <fahree at gmail.com> wrote:
> >> >> At intervals, the trustworthy organization (and others like
> >> >> it) can send out email messages to Alice, encrypted in said
> >> >> key, saying "Hi there! Please reply with a message containing
> >> >> this magic cookie, encrypted in our key, signed in yours."
> >> >>
> >> The cookie better not be a a value that the organization can
> >> skew with its own "random" source, but be based on a digest of
> >> consensual data, such as the date (with sufficiently coarse
> >> resolution), the top of the consensual database (if any),
> >> public weather measurements from previous day, etc.
> >
> > I don't understand why. The security requirement is that third
> > parties must *not* be able to predict the token, because then they
> > could sign the token without controlling the email address. The
> > only organization that can know the cookie is actually the
> > organization sending the cookie out. You appear to have inverted
> > the security requirement...
> >
> In my scheme, no one can predict it, everyone can postdict it,
> *after* the "trusted" organization published its salt, at which
> point it's too late to send it signed confirmations.
> Therefore, neither side can cheat.

I don't see what threat this averts. If the sending organization is
cheating, this does not stop them from pretending that they received
a signed cookie in a round trip. It just seems to add complexity. The
only interesting form of cheating I can think of is pretending a
round trip existed when it did not.

> In particular, the "trusted" organization has precious little power
> to extract information by handing users carefully crafted cookies.

I don't see how that is an issue either, unless you are referring to
chosen plaintext attacks, but the encryption format had better
already defend against those.

> For even less power, the organization can publish digests of its
> salts years in advance.

Again, I don't understand the threat being defended against. Can you
articulate exactly what was possible before that is not possible in
the scheme you propose?

Perry E. Metzger		perry at piermont.com

More information about the cryptography mailing list