[Cryptography] Layering Web Encryption?

[Natanael]

Den 25 feb 2015 20:18 skrev "Chris Tonkinson" <chris at tonkinson.com>:
[...]
> What if we were to take a leaf out of TORs book, and layer "reverse" PKI
> (with e.g. PGP) inside of TLS for HTTPS?
>
> Suppose my UA has access to a locally generated keypair. Could be a
> pre-generated and [relatively] long-lived keypair, or it could be
> transient, surviving a single request-response cycle - doesn't matter.
> Upon completion of the TLS handshake, the first request from my UA to
> the server would include the public key for this pair. The response,
> then, would be encrypted to this public key.

Yes you could, but in every place I can think of where you could add
functional support for an encryption layer on top of TLS would be better
served by dropping TLS and using the second encryption scheme alone. You'd
need every application to support it natively.

By the way, both Tor and I2P already works on Android (Orbot and the I2P
client on F-Droid). Both support public key based addresses (hidden
services / eepsites) for use inside the encrypted networks. The address
itself becomes the certificate. Both support access via local proxies on
the device, so most standard software supports it transparently if you can
tell it to connect over HTTP via that proxy to those domains (the Tor and
I2P clients will resolve the domain, encrypt and direct the traffic
appropriately).

There's also CJDNS as a similar option for secure routing, but without the
anonymization (intended for secure mesh networking rather than being an
overlay anonymization network). So far only available for standard Unix-y
operating systems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150225/4e9a3493/attachment.html>