At 8:15 AM 4/25/96 -0700, Alan Bostick wrote:

The other night, while sick and feverish with the flu, a scheme popped into my head that would seem to make penet-style anonymous servers less vulnerable to compromise through seizure of the remailer equipment or of the address database...

My scheme is the design of the address database. It consists of two hash tables, one for sending messages (which maps anonymous IDs onto sender's addresses), and one for receiving them (mapping recipient's addresses onto anonymous IDs). A cryptographically secure hash (say, MD5) is used for the index of both tables.

The index of the sending message table is the MD5 hash of the sender's address. The table entry the index points to is the sender's anonymous ID, encrypted by a symmetric algorithm (maybe IDEA). The encryption key would be a different hash, by another algorithm (let's suppose it's SHA), of that same address.

...

The receiving message hash table is designed similarly, in reverse. The index of the hash table is the MD5 hash of the anonymous ID; the entry in the table is the recipient's email address, encrypted with the SHA hash of the anonymous ID...

Assuming you have obtained the address database, it seems to me that this scheme is subject to known address attacks: (1) If you want to find out what newbie@slowresponse.com's anon ID is, you just look it up. (2) If you want to find out the real email addresses of all the users, you test all the anon-ids with the reverse lookup table. This attack could be defeated by using sufficiently long random anon-ids. If we assume 5 bits of information/character, a 96 bit anon-id (sufficient to preclude exhaustive search attacks) would require 19 character anon-ids. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA