[prev in list] [next in list] [prev in thread] [next in thread]
List: moderncrypto-messaging
Subject: Re: [messaging] Masking contact addresses with ECDH
From: Nick Badger <nbadger1 () gmail ! com>
Date: 2016-02-29 21:06:42
Message-ID: CABkA8JyCSdoJUd69ye33KcJOTYJHNdCQP9-i3PxH56qLRQjrAQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Is the authorization step considered a direct interaction? I can't
personally think of a way to do this privately unless the "authorization to
create contact set intersection" step is ignored. Otherwise, best case
scenario, an adversary wishing to discover the contacts list can just
iterate across all known contacts, correct? If you have a single directory,
that implies that the directory has the capability to unmask everyone's
contacts. That being said, just because I can't think of one, doesn't mean
one doesn't exist. That's also something you could potentially mitigate
through an expensive one-way function like scrypt/argon2/etc. But now we're
talking risk management and not provable security, if that's what you're
going for.
If you do allow the one authorization step, I can think of fairly easy ways
of doing it -- as a simple example, Ben's suggestion of random + hmac (the
random would be reused for all contacts, and the authorization step would
be passing Bob the random). Alice is still giving Bob the ability to brute
force her entire contacts list, though, if he can query the directory.
That last problem (Bob brute forcing against the directory once he's
granted access to create a set against Alice's contacts) is, I think,
unsolvable: the socialist millionaire protocol doesn't protect against a
dishonest party if that dishonest party knows all possible values of X and
has the capacity to iterate against them, does it?
Nick Badger
https://www.ethyr.net
https://www.muterra.io
http://www.nickbadger.com
PGP fingerprint 37B9 22FC 2E47 50AA E06B 9CEC FB65 8930 46F0 333A, listed
at MIT <https://pgp.mit.edu/> and PGP <http://keyserver.pgp.com/>
On Mon, Feb 29, 2016 at 12:45 PM, Tony Arcieri <bascule@gmail.com> wrote:
> Sure, the original impetus for this was some discussion on the
> SimplySecure Slack of having a protocol which did not require any direct
> interactions between Alice and Bob for doing a private set intersection for
> contacts, mediated through a third party (the directory)
>
> On Monday, February 29, 2016, Joseph Bonneau <jbonneau@gmail.com> wrote:
>
>>
>>
>> On Mon, Feb 29, 2016 at 12:38 PM, Tony Arcieri <bascule@gmail.com> wrote:
>>
>>> On Monday, February 29, 2016, Joseph Bonneau <jbonneau@gmail.com> wrote:
>>>
>>>> I'm not sure exactly what the goal is here. Is it for Alice and Bob to
>>>> find out which contacts they have in common without each revealing the
>>>> whole set?
>>>>
>>>
>>> Yes. Moxie did a great job of spelling out the problem and various
>>> non-solutions here:
>>>
>>
>>> https://whispersystems.org/blog/contact-discovery/
>>>
>>
>> That post describe the problem of Alice and Bob trying to find out if
>> they're both using the same service. I asked if the goal is for Alice and
>> Bob to find out which contacts they have in common without each revealing
>> the whole set, which is a quite different proposition. It sounds from your
>> original message like you were asking about this, since you mentioned "Bob
>> is authorized in the directory to view Alice's contacts"
>>
>>
>
> --
> Tony Arcieri
>
>
> _______________________________________________
> Messaging mailing list
> Messaging@moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>
>
[Attachment #5 (text/html)]
<div dir="ltr"><div><div>Is the authorization step considered a direct interaction? I \
can't personally think of a way to do this privately unless the \
"authorization to create contact set intersection" step is ignored. \
Otherwise, best case scenario, an adversary wishing to discover the contacts list can \
just iterate across all known contacts, correct? If you have a single directory, that \
implies that the directory has the capability to unmask everyone's contacts. That \
being said, just because I can't think of one, doesn't mean one doesn't \
exist. That's also something you could potentially mitigate through an expensive \
one-way function like scrypt/argon2/etc. But now we're talking risk management \
and not provable security, if that's what you're going for.<br><br></div>If \
you do allow the one authorization step, I can think of fairly easy ways of doing it \
-- as a simple example, Ben's suggestion of random + hmac (the random would be \
reused for all contacts, and the authorization step would be passing Bob the random). \
Alice is still giving Bob the ability to brute force her entire contacts list, \
though, if he can query the directory.<br><br></div>That last problem (Bob brute \
forcing against the directory once he's granted access to create a set against \
Alice's contacts) is, I think, unsolvable: the socialist millionaire protocol \
doesn't protect against a dishonest party if that dishonest party knows all \
possible values of X and has the capacity to iterate against them, does it?</div><div \
class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><br>Nick Badger<br></div><div><a \
href="https://www.ethyr.net" \
target="_blank">https://www.ethyr.net</a><br></div><div><a \
href="https://www.muterra.io" \
target="_blank">https://www.muterra.io</a><br></div><div dir="ltr"><div><a \
href="http://www.nickbadger.com" \
target="_blank">http://www.nickbadger.com</a><br><span><font size="1">PGP fingerprint \
37B9 22FC 2E47 50AA E06B 9CEC FB65 8930 46F0 333A, listed at <a \
href="https://pgp.mit.edu/" target="_blank">MIT</a> and <a \
href="http://keyserver.pgp.com/" \
target="_blank">PGP</a></font></span><br></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Mon, Feb 29, 2016 at 12:45 PM, Tony Arcieri <span \
dir="ltr"><<a href="mailto:bascule@gmail.com" \
target="_blank">bascule@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Sure, the original impetus for this was some discussion on \
the SimplySecure Slack of having a protocol which did not require any direct \
interactions between Alice and Bob for doing a private set intersection for contacts, \
mediated through a third party (the directory)<span class=""><span></span><br><br>On \
Monday, February 29, 2016, Joseph Bonneau <<a href="mailto:jbonneau@gmail.com" \
target="_blank">jbonneau@gmail.com</a>> wrote:<br></span><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div \
class="gmail_quote"><span class="">On Mon, Feb 29, 2016 at 12:38 PM, Tony Arcieri \
<span dir="ltr"><<a>bascule@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>On \
Monday, February 29, 2016, Joseph Bonneau <<a>jbonneau@gmail.com</a>> \
wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div \
dir="ltr">I'm not sure exactly what the goal is here. Is it for Alice and Bob to \
find out which contacts they have in common without each revealing the whole \
set?</div></blockquote><div><br></div></span><div>Yes. Moxie did a great job of \
spelling out the problem and various non-solutions here: \
</div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><br></div><div><span></span> \
<a href="https://whispersystems.org/blog/contact-discovery/" \
target="_blank">https://whispersystems.org/blog/contact-discovery/</a></div></blockquote><div><br></div></span><div>That \
post describe the problem of Alice and Bob trying to find out if they're both \
using the same service. I asked if the goal is for Alice and Bob to find out which \
contacts they have in common without each revealing the whole set, which is a quite \
different proposition. It sounds from your original message like you were asking \
about this, since you mentioned "<span style="font-size:12.8px">Bob is \
authorized in the directory to view Alice's \
contacts"</span><br></div></div><br></div></div><span class="HOEnZb"><font \
color="#888888"> </font></span></blockquote><span class="HOEnZb"><font \
color="#888888"><br><br>-- <br>Tony Arcieri<br><br> \
</font></span><br>_______________________________________________<br> Messaging \
mailing list<br> <a href="mailto:Messaging@moderncrypto.org">Messaging@moderncrypto.org</a><br>
<a href="https://moderncrypto.org/mailman/listinfo/messaging" rel="noreferrer" \
target="_blank">https://moderncrypto.org/mailman/listinfo/messaging</a><br> \
<br></blockquote></div><br></div>
_______________________________________________
Messaging mailing list
Messaging@moderncrypto.org
https://moderncrypto.org/mailman/listinfo/messaging
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic