[Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address

[Paul Wouters]

On Sun, 20 Jan 2019, Ttttabcd via cryptography wrote:

> There have been rumors that IPv6 can implement end-to-end encryption of all the Internet based on IPsec, but this is impossible.
>
> IPsec is also based on passwords or certificates, and also requires shared secrets.

Note that IPsec supports asymmetric null authentication, which we use
for Opportunistic IPsec. So in that case, the client authenticates the
server (eg based on letsencrypt or DNSSEC or otherwise) and the server
does not authenticate the client. The client remains anonymous at the
IP layer, similar to how TLS works.

> The problem is that there is no shared secret between us and strangers. Without the secret of sharing, we can't authenticate each other. If this problem is not solved, Internet end-to-end encryption is impossible.

The problem is that a shared secret between strangers doesn't help me
identifying you from a crowd of strangers. We all have to publish
some kind of pseudo identity that others need to be able to verify.

> Now we can send the public key to the stranger and sign it with the private key. MITM cannot replace the public key. Because there is a hash of the public key in the IPv6 address, the public key cannot be forged.

Sure, now you might have prevented _our_ connection from a MITM, but how
do I know you are not the MITM ? Who are you? Who am I? Which two
parties are trying to communicate? How do you identify these parties
and how do they identify each other?

If you can answer that, you can answer how to obtain a public key of
that identity. Be it via DNS FQDN, CAs, blockchain publications, or
an ad in the New York Times.

> When we communicate with strangers, we can use the following handshaking protocol.

So here, you only accomplish confidentiality to _a_ stranger. But you
have no idea which stranger.

> 1. Alice sends the public key, the Diffie-Hellman key, and the signature of the DH-Key with the private key. When Bob receives the message, the public key is verified by CGA. The public key verifies the signature, and DH-Key can be used to generate its own AES password.

What does that public key contain as identifying reference? an email
address? a Slack handle? A SSN?

Paul