On Fri, 21 Dec 2001, Len Sassaman wrote:
Publishing failure notifications with sender-provided keys, as Steve Schear suggests, seems likely to have large implementation and usage hurdles. (A separate user's public key for each remailer in the chain would have to be sent along with each message, and managing this would become quite difficult for the user.)
One way around this management issue might be to use a public-key cryptosystem which supports "key blinding." (Note - A Google search reveals that this term seems to be used in other places as well, and it looks like the usage there is not quite consistent with the way it is used in this message. Caveat lector.) David Hopwood has done some amazing work on formalizing the concept, which informally goes something like this: A public-key cryptosystem supports "blinded keys" if there is an efficient randomized algorithm which takes a public key PK and outputs a new public key PK' such that * [Key compatibility] Messages encrypted with PK' can be decrypted by the secret key associated with PK. (Ideally with no extra state required to decrypt these messages, unlike blinded signatures, which must be "unblinded" to be useful.) * [Key unlinkability] Given PK', an adversary cannot determine that PK' was created by blinding PK. for this application, we also need something perhaps stronger * Many many PK' can be created from the same PK and none of them can be linked with each other (as well as not linked with the original PK) This is somewhat like Ross Anderson's "compatible weak keys," except that it does not require that a new private key be created along with the new public key. With blinded keys, the management issue you mention becomes much simpler, I think. Instead of managing dozens of public-private key pairs, you have only one pair (PK,SK). To create a one-use public key for the purpose of status notification, you create a blinded key PK'. Anything encrypted with PK' can be decrypted by your SK, but the key unlinkability properties prevent the remailers from correlating messages based on PK'. One way to create a key-blinded cryptosystem is to consider Elgamal public keys as the pair (g, y), where y = g^x for private key x. Then to blind a public key, pick a random blinding factor b and let the blinded key be (g^b, y^b). With this, you do not need to keep track of the blinding factor b; the change in generator to g^b will do that for you. So you can get away without keeping any state on your end beyond your private key x. For more detail, currently the best thing to do is a groups.google.com search for David Hopwood and "BRH-DHAES." We keep meaning to write this up, but never get around to it. -David
At 06:01 PM 12/21/2001 -0500, dmolnar wrote:
On Fri, 21 Dec 2001, Len Sassaman wrote:
Publishing failure notifications with sender-provided keys, as Steve Schear suggests, seems likely to have large implementation and usage hurdles. (A separate user's public key for each remailer in the chain would have to be sent along with each message, and managing this would become quite difficult for the user.)
One way around this management issue might be to use a public-key cryptosystem which supports "key blinding." (Note - A Google search reveals that this term seems to be used in other places as well, and it looks like the usage there is not quite consistent with the way it is used in this message. Caveat lector.)
An alternative method, discussed privately with another CP list member, would have the sender could provide a response-inbound message appropriate for each remailer in the chain and imbed this with the outbound message (maybe in the header). This imbedded message would be a concentrically wrapped and encrypted message just like the sender's outbound message, but constructed so it would backward chain to the originator. Might not even be to the same address as the sender's to obfuscate the linkage. Similar to reply block. My preference is using a Web server interface in the remailer to allow the originator's client to automatically check the progress of their message. steve
participants (2)
-
dmolnar
-
Steve Schear