[Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address

Natanael natanael.l at gmail.com
Mon Jan 21 12:37:57 EST 2019


Den mån 21 jan. 2019 18:31 skrev Ttttabcd via cryptography <
cryptography at metzdowd.com>:

> # Foreword
>
> Encryption based on shared secrets
>
> Symmetric encryption is based on shared keys, asymmetric encryption is
> based on shared public keys, and HTTPS is based on the browser's built-in
> CA root certificate.
>
> There have been rumors that IPv6 can implement end-to-end encryption of
> all the Internet based on IPsec, but this is impossible.
>
> IPsec is also based on passwords or certificates, and also requires shared
> secrets.
>
> The problem is that there is no shared secret between us and strangers.
> Without the secret of sharing, we can't authenticate each other. If this
> problem is not solved, Internet end-to-end encryption is impossible.
>
> But Cryptographically Generated Address (CGA) solves this problem because
> CGA turns the IPv6 address itself into a "shared secret."
>
> # Cryptographically Generated Address
>
> Detailed CGA information can be found in RFC 3972, I will briefly explain
> here.
>
> CGA is used to implement Secure Neighbor Discovery, which resolves
> authentication without CA.
>
> The CGA divides the IPv6 address into three parts, the first 64-bit subnet
> prefix, the middle 3 bits of computational difficulty, and the last 59 bits
> of the hash address generated based on the public key.
>

I would suggest CJDNS instead. It's a different implementation of the same
idea. It uses the private network prefix, and thus sacrifice much fewer
bits of the 128 bits available.

https://github.com/cjdelisle/cjdns

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190121/5e660d48/attachment.html>


More information about the cryptography mailing list