[Cryptography] Clinton email issues
Phillip Hallam-Baker
phill at hallambaker.com
Wed Mar 27 06:20:39 EDT 2019
On Mon, Mar 25, 2019 at 4:14 AM Ángel <angel at crypto.16bits.net> wrote:
> On 2019-03-23 at 22:49 -0400, Phillip Hallam-Baker wrote:
>
>
> > OK so there is some magic: I change the email address to embed the
> > fingerprint of the recipient:
>
> > alice at example.com.mm--mb2gk-6duf5-ygyyl-jny5e-rwshz
> >
> > If the email client is Mesh enabled, it can recognize this as a SIN
> > and work out that it needs to apply a security policy (OpenPGP or
> > S/MIME) that has the fingerprint mb2gk-
>
> When looking at this, I realized that I had cut and pasted from the old
version of the spec which uses Base32 in groups of 5 characters. The new
spec uses groups of 4. The same arguments apply though.
>
> Is the fingerprint mb2gk- or mb2gk-6duf5-ygyyl-jny5e-rwshz? If the
> earlier, isn't that a fingerprint too short to be relied on?
>
mb2gk- was just an abbreviation for mb2gk-6duf5-ygyyl-jny5e-rwshz.
That is about as long as can be put on a business card. It presents a
2^(125-8) work factor which is more than sufficient for the purpose of
introduction. If we were using a QR code introduction then we would go for
30 significant characters which is 2^(150-8) = 2^140, ample.
The birthday attack is not relevant in this case as we are presented with a
particular address that must be attacked.
When a SIN is first processed, the tools will pull the Mesh profile and
verify the hash. In the process reconstructing the full 512 bit SHA-2-512
output. The recommended approach is to store this value and store the
result with 250 bit precision for future comparison. I call this key
strengthening.
More bits is only more secure if people keep using the technology. The
longer the fingerprint, the less likely they are to use it. So there is a
balance point. But a SIN can be expressed with arbitrary precision.
One way to address this is with fingerprint compression. If the last 16,
32, 48 or 64 bits of a fingerprint are zero, this is noted in the lead byte
which encodes the digest algorithm and purpose. So there is the option to
perform proof of work hardening on the identifier allowing a 20 significant
char fingerprint to be used safely.
The other use for the proof of work might well be in spam control.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190327/53654d70/attachment.html>
More information about the cryptography
mailing list