[Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address

Paul Wouters paul at cypherpunks.ca
Thu Jan 24 12:02:56 EST 2019


On Thu, 24 Jan 2019, Ttttabcd via cryptography wrote:

>> > When we communicate with strangers, we can use the following handshaking protocol.
>>
>> So here, you only accomplish confidentiality toa stranger. But you
>> have no idea which stranger.

> This is to achieve end-to-end encryption without CA.
>
> Prove a specific identity with a specific IPv6 address.

You miss the point. Talking with confidentiality to an IP address means nothing.
Using null-authentication with any protocol accomplishes the same. You
left out how binding that IP address to a psuedo identity would work.

If I talk with confidentiality with 2600::c900:9106:adca:dc36 then who
am I talking to? You ? Your server? Your phone? The NSA?

Besides that, anyone who controls some of the BGP tables or routing
can be an instance of 2600::c900:9106:adca:dc36 passing identification
of your crypto scheme. So I don't even know if I am talking to the "real"
2600::c900:9106:adca:dc36. And if you meant the IPv6 as a "shared
secret" then we have better methods like PAKE to go from a weak shared
secret we exchange at a party, to a strong secret we can use to
authenticate a private channel.

In other words, your proposal is the equivalent to any kind of
DiffieHellman key exchange. Now you have confidentiality, you need
to authenticate the other party.

Paul


More information about the cryptography mailing list