[Cryptography] Layering Web Encryption?

Chris Tonkinson chris at tonkinson.com
Wed Feb 25 13:39:46 EST 2015 

I'm not a security researcher, pen tester, red/blue teamer, formal
infosec consultant, or a cryptographer. I am a foil-donning web
technologist who enthusiastically consumes a lot of information from the
infosec community. Basically I'm a busch league security and privacy
advocate. A crypto groupie, if you will.

So please forgive my ignorance, naivete, and lack of historical perspective.

---

TLS is weakened because most popular platforms (an intentionally broad
term) get preloaded with hundreds of default root certs, and no one
knows how many of those are fronts for the SAA ("Some Alphabet Agency")
or aren't, but have been compromised by same.

Gemalto's SIM keys got nabbed by the SSA, so trusting any opacity
provided by the cellular protocols goes out the window.

The list goes on, but data in transport is a pretty popular target. It
gets me thinking - could something experimental be jimmied up using "off
the shelf" components by taking a leaf out of the TOR book?

For the sake of argument, set aside usability, performance, and resource
requirements (collectively "logistics") for a moment.

What if we were to take a leaf out of TORs book, and layer "reverse" PKI
(with e.g. PGP) inside of TLS for HTTPS?

Suppose my UA has access to a locally generated keypair. Could be a
pre-generated and [relatively] long-lived keypair, or it could be
transient, surviving a single request-response cycle - doesn't matter.
Upon completion of the TLS handshake, the first request from my UA to
the server would include the public key for this pair. The response,
then, would be encrypted to this public key.

Threat model: Again, we're assuming that the client and server are not
compromised. This is simply a defense-in-depth play against
eavesdropping. For example, suppose a flaw in TLS is exposed, suppose a
services private key gets loose (by incompetence, malice, or coercion).

Is it stupid to make a distinction (with regards to threat analysis)
between a company being forced to hand over a private key (a la Lavabit)
and a company actively infiltrated? Another way to ask that is: are
there practical limitations to what can be done with an NSL?

Has this idea been attempted before? Remember, I'm young, dumb, and
naive. I've looked around, but with the keywords I'm searching on the
results are badly googlewashed.

It's my understanding that PFS is widely implemented where the server is
generating the ephemeral keys. What I'm proposing /looks/ different than
PFS, but would it fundamentally offer additional hardness?

I've used a site or two which accept keypairs for authentication instead
of passwords, but that's not really what I'm talking about here
(although clearly related, I see the two concepts as orthogonal).

Cheers,
-Chris

-- 
Chris Tonkinson
610.425.7807
GPG Key Fingerprint: 9120 D63D BB2E 8370 7023  C002 7145 1F95 18B3 E7A2

  "Lead, follow, or get out of the way."
  -Thomas Paine

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150225/8156aa90/attachment.sig>

More information about the cryptography mailing list