[Cryptography] Privacy-preserving wireless communication?

Nico Williams nico at cryptonector.com
Thu Dec 14 17:09:03 EST 2017


On Thu, Dec 14, 2017 at 11:33:43AM -0800, Christian Huitema wrote:
> The DNS SD working group would very much like to find a solution that
> does not have these scaling constraints, maybe using public key
> technology instead of pairwise secrets. If you have such a solution,
> your contributions would be very welcome.

In OP's case pairing is done over wired connections, so there's no
scalability issue w.r.t. number of announcements.  If the MAC in the
announcement does not match, the recipient does nothing.

How about a DoS-resistant variation on your announcement, with a
pseudo-randomized ID/sequence number:

  announcement = {{nonce, PRF(shared_secret, peer_ID, seqnum)},
                  MAC(shared_secret, {nonce, PRF(peer_ID, seqnum)})}

This allows the sender and recipient to keep some per-peer state
(sequence number) that allows them to pre-compute a number of
PRF(shared_secret, peer_ID, seqnum) and thus prevent a DoS by sending
lots of announcements.

A seqnum resync announcement can be processed only when the user presses
an appropriate button.  Devices could do this automatically, but
rate-limit resyncs.

For peer IDs use public keys (or hashes thereof).  Names can be purely
local for applications like OP's.  Alternatively, exchange peer IDs
during (or after) pairing.

If you need to pair over wireless you could use (EC)DH with an
interactive challenge/response with challenges displayed to the user
only.  The difficulty that arises in wireless pairing is that either the
public keys are per-device (in which case pseudonymous) or per-pairing
(in which case anonymous because ephemeral), but!...

...the problem with per-pairing public keys is that now there's no way
to decide which wireless pairing announcements to ignore withou more
user interaction (more than merely pressing a button, confirming a
challenge, and pressing a button again), I think.

Nico
-- 


More information about the cryptography mailing list