[Cryptography] Does this provide any extra value?
Peter Fairbrother
peter at tsto.co.uk
Fri May 22 05:55:38 EDT 2020
On 21/05/2020 22:03, Phillip Hallam-Baker wrote:
> So I have the following issue:
>
> Imagine that we have a catalog of encrypted items that a user is going
> to access by means of a QR code containing a hash of a secret value from
> which we derive both a locator key and a decryption key.
>
> So lets say the key is NCCZ-QP4L-2QFS-YFT7-KQAO-RF4F-SSAA
>
> And we can turn this into a URI with some access info that we stuff into
> the QR code:
> mcx://example.com/
> <http://example.com/>NCCZ-QP4L-2QFS-YFT7-KQAO-RF4F-SSAA
> <http://example.com/NCCZ-QP4L-2QFS-YFT7-KQAO-RF4F-SSAA?fbclid=IwAR0lT-o-yFkjuJ7kc-lhEpctdmi7S9LSuQ_BfC3OJ8-UgZrcF3eNI5aMZ24>
>
> This is expanded to a http: url:
>
> https://example.com/.well-known/mcx/MDGC-MQ7F-AV76-47TL-LQ7M-UIH4-U7CE
>
> Where MDGC-... = H (NCCZ-...)
>
> And the data is encrypted under the key NCCZ-...
>
> So only a person with the QR code can obtain the locator and fetch the
> encrypted data and decrypt the data.
>
> But here is the thing, someone with the locator can still fetch the
> data, albeit encrypted. Is this something that should be of concern?
Yes, of course.
Starting with the First Principle, "Never give a inch" [1], you are
giving an inch - and some edge case will take advantage of it.
Eg, "MDGC-MQ7F-AV76-47TL-LQ7M-UIH4-U7CE is 78645335 bytes long, it is
therefore almost certainly an encrypted version of this other file".
Or "MDGC-MQ7F-AV76-47TL-LQ7M-UIH4-U7CE is only 3 kb long, it can't be
the file we are interested in so we can put our energies elsewhere".
Or "MDGC-MQ7F-AV76-47TL-LQ7M-UIH4-U7CE was deleted yesterday -
whodoneit? you were in a cell and no-one else is supposed to have access".
Or "Here is MDGC-MQ7F-AV76-47TL-LQ7M-UIH4-U7CE, decrypt it or go to
jail/get kicked around/get shot."
Or "Here is MDGC-MQ7F-AV76-47TL-LQ7M-UIH4-U7CE, let's see if we can
decrypt it".
Or "Here is MDGC-MQ7F-AV76-47TL-LQ7M-UIH4-U7CE, let's see if we can
manipulate it".
Und so weiter
[1] Spelling courtesy of Henry Stamper
Peter Fairbrother
More information about the cryptography
mailing list