[Cryptography] The names in "the mesh"

Christian Huitema huitema at huitema.net
Sun Jul 12 20:20:12 EDT 2015



Your proposed use of names derived from cryptographic keys reminds me a lot
of the work with did several years ago with PNRP. The principle was the
same, pick a master key and use a hash of that master key as a node's
identity. In our case, it was a key to an entry in a P2P mesh. Leaving aside
the specific details of the application, we got lots of feedback from our
use of identifiers of form <hash>+<string>, very similar to:


    mmm:MB2GK-6DUF5-YGYYL-JNY5E-RWSHZ:alice at cryptomesh.org


The main issue is that the hashes are very unwieldy. They cannot be visually
verified by the user. An attacker can generate an alternate key whose hash
looks "close enough" to the real thing, and then use MITM attack to
substitute that when the key is sent from Alice to Bob. Bob performs a
visual check, is fooled, and then the communication between Bob and Alice
can be intercepted. 


We explored using a "compressed hash" for verification purposes, which we
dubbed "call sign." The idea was to hash
"MB2GK-6DUF5-YGYYL-JNY5E-RWSHZ:alice at cryptomesh.org" plus some "salt",
choosing the salt so the hash ends with a large number of zeros. Let Z be
that number. We would then build the call sign from the first N bits of the
hash, and publish it as a short Base32 string. The strength of the
verification is "N+Z". For example, N=50 and Z=32 results in a 82 bit strong
password, and a 10 character string.


The point of the small string is that it can be spelled over the phone, or
copied from a card, without being too unwieldy.


-- Christian Huitema



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150712/6000b538/attachment.html>

More information about the cryptography mailing list