[Cryptography] Does this provide any extra value?

Peter Fairbrother peter at tsto.co.uk
Fri May 22 05:55:38 EDT 2020


On 21/05/2020 22:03, Phillip Hallam-Baker wrote:
> So I have the following issue:
> 
> Imagine that we have a catalog of encrypted items that a user is going 
> to access by means of a QR code containing a hash of a secret value from 
> which we derive both a locator key and a decryption key.
> 
> So lets say the key is NCCZ-QP4L-2QFS-YFT7-KQAO-RF4F-SSAA
> 
> And we can turn this into a URI with some access info that we stuff into 
> the QR code:
> mcx://example.com/ 
> <http://example.com/>NCCZ-QP4L-2QFS-YFT7-KQAO-RF4F-SSAA 
> <http://example.com/NCCZ-QP4L-2QFS-YFT7-KQAO-RF4F-SSAA?fbclid=IwAR0lT-o-yFkjuJ7kc-lhEpctdmi7S9LSuQ_BfC3OJ8-UgZrcF3eNI5aMZ24>
> 
> This is expanded to a http: url:
> 
> https://example.com/.well-known/mcx/MDGC-MQ7F-AV76-47TL-LQ7M-UIH4-U7CE
> 
> Where MDGC-... = H (NCCZ-...)
> 
> And the data is encrypted under the key NCCZ-...
> 
> So only a person with the QR code can obtain the locator and fetch the 
> encrypted data and decrypt the data.
> 
> But here is the thing, someone with the locator can still fetch the 
> data, albeit encrypted. Is this something that should be of concern?


Yes, of course.

Starting with the First Principle, "Never give a inch" [1], you are 
giving an inch - and some edge case will take advantage of it.



Eg, "MDGC-MQ7F-AV76-47TL-LQ7M-UIH4-U7CE is 78645335 bytes long, it is 
therefore almost certainly an encrypted version of this other file".

Or "MDGC-MQ7F-AV76-47TL-LQ7M-UIH4-U7CE is only 3 kb long, it can't be 
the file we are interested in so we can put our energies elsewhere".

Or "MDGC-MQ7F-AV76-47TL-LQ7M-UIH4-U7CE was deleted yesterday - 
whodoneit? you were in a cell and no-one else is supposed to have access".

Or "Here is MDGC-MQ7F-AV76-47TL-LQ7M-UIH4-U7CE, decrypt it or go to 
jail/get kicked around/get shot."

Or "Here is MDGC-MQ7F-AV76-47TL-LQ7M-UIH4-U7CE, let's see if we can 
decrypt it".

Or "Here is MDGC-MQ7F-AV76-47TL-LQ7M-UIH4-U7CE, let's see if we can 
manipulate it".



Und so weiter




[1] Spelling courtesy of Henry Stamper

Peter Fairbrother


More information about the cryptography mailing list