Re: [Asrg] C/R Thoughts: Take 1

Yakov Shafranovich <research@solidmatrix.com> Tue, 13 May 2003 20:38 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA28401 for <asrg-archive@odin.ietf.org>; Tue, 13 May 2003 16:38:47 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4DK4vR26429 for asrg-archive@odin.ietf.org; Tue, 13 May 2003 16:04:57 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4DK4vB26426 for <asrg-web-archive@optimus.ietf.org>; Tue, 13 May 2003 16:04:57 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA28388; Tue, 13 May 2003 16:38:15 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19FgZI-0007Sj-00; Tue, 13 May 2003 16:40:12 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19FgZH-0007Sg-00; Tue, 13 May 2003 16:40:11 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4DJwFB26058; Tue, 13 May 2003 15:58:15 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4DJvNB26019 for <asrg@optimus.ietf.org>; Tue, 13 May 2003 15:57:23 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA28194 for <asrg@ietf.org>; Tue, 13 May 2003 16:30:41 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19FgRy-0007PK-00 for asrg@ietf.org; Tue, 13 May 2003 16:32:38 -0400
Received: from 000-246-276.area7.spcsdns.net ([68.27.201.151] helo=68.27.201.151 ident=trilluser) by ietf-mx with smtp (Exim 4.12) id 19FgRv-0007PC-00 for asrg@ietf.org; Tue, 13 May 2003 16:32:36 -0400
Message-Id: <5.2.0.9.2.20030513162434.00b3e478@std5.imagineis.com>
X-Sender: research@solidmatrix.com
X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9
To: asrg@ietf.org
From: Yakov Shafranovich <research@solidmatrix.com>
Subject: Re: [Asrg] C/R Thoughts: Take 1
In-Reply-To: <200305131933.h4DJXG9k022281@calcite.rhyolite.com>
References: <5.2.0.9.2.20030513135742.00ba06b8@std5.imagineis.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-MimeHeaders-Plugin-Info: v2.03.00
X-GCMulti: 1
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Tue, 13 May 2003 16:33:15 -0400

At 01:33 PM 5/13/2003 -0600, Vernon Schryver wrote:

> > From: Yakov Shafranovich <research@solidmatrix.com>
>
> > ...
> > Instead of storing the actual email address in the database, we might 
> store
> > a one-way hash of it, lets say MD5. When emails are sent and received, the
> > sender's email address is hashed and compared against the database. This
> > way if anyone ends up wanting to use the database, it would be impossible
> > since there will be no email addresses in it. Of course it would still be
> > possible to check a specific email address against or use some form of a
> > dictionary attack, ...
>
>Which implies that in the cases that matter, nothing is hidden.  Dictionary
>attacks are easy when you know what you're looking for.  This is one
>reason why the DCC procotol does not include a checksum for the target.
>That's not a complete solution, but it's not as bad as the C/R case
>where the database would consist of a recipient and a set of senders.

Nevertheless using hashes instead of password will not allow the owner of 
the C/R system to spam all the senders like SpamArrest did. I am not 
advocating a specific solution, just a need for one - more thought must go 
into this area.

Yakov 

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg