[stir] Anti-spam with blind signatures
Eric Rescorla <ekr@rtfm.com> Fri, 28 July 2017 17:03 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35774131CC0 for <stir@ietfa.amsl.com>; Fri, 28 Jul 2017 10:03:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E_rYdd3HCMnV for <stir@ietfa.amsl.com>; Fri, 28 Jul 2017 10:03:15 -0700 (PDT)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74DC0131748 for <stir@ietf.org>; Fri, 28 Jul 2017 10:03:15 -0700 (PDT)
Received: by mail-yw0-x22f.google.com with SMTP id x125so127278626ywa.0 for <stir@ietf.org>; Fri, 28 Jul 2017 10:03:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=L8T7EklHTafEVuYZMTRvFDZ54+FjOxXRF52ckYQCGXo=; b=GPYrliJ1jsJoBtitPQC38SAcoukcHwdXBPRdO95EnlpX6a7ueoGnLI/266A2L9Jg6U u1TmSvSZbueBxGNx+twiQSXBSuIK9ehtx3wrhF4bx1gWTcq8WcF+glqf0OJtLt4Ewtcd FKtiwJtB//X43Qd4JKTxMhqtnlPndpDRTlnmSEuYwKUOrJeMnF+7++ABDmVhtvvEGNGz yayZ+/W9i8pqsc7iFLM7JxN0acLFYJkj1NiJ5Ay3xN5hhUTu5twUzQgC4tlDMKfYHYy3 fkboJEU+rvOzE9jhbnZ5sZSK4KR0mcXuhB5TLICQln6huiSAaRrIyrY1W9zHiIHqZt1D MVoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=L8T7EklHTafEVuYZMTRvFDZ54+FjOxXRF52ckYQCGXo=; b=ScdGtl/g4y62cGoY+jo6Bh7KAyclLOPg2I4X/uFKm/xAxJCRP+hHhkodlz3x36oesI 4rPsunMaFX/AwZCkHRrEDxr0083lTAVDdZQbPcXbEmVz2sJiPH5ZCH9j9pzl7VaeSVK3 jfT4wuSqWKf1jSThw3qPxGEctOKB3T5PVhsv1CxI69nGntXIuioXL6TegZiuYZQoMecU EIzVTl9hHpyAsTKsE+KhPZ/UEkOFuXtTqJbBQIS4MLN/AwsuRGKx0KmmXlR1vP9Btbl4 KnfNoeDgX2vDpb6S+V2rrXC9O3LSqPm/Y1qvtWGh9oyD42NBOGspYk6T9aCgFsrAAZtp CDAg==
X-Gm-Message-State: AIVw110FacmyQ3xMWsihxk1tbofcTyGpU5QSQm9aJkFfkKC2XFasSnDW piCMeLkUrT/HIF7NRey5e43XH2eeiDQZRYA11w==
X-Received: by 10.129.84.5 with SMTP id i5mr123235ywb.321.1501261394416; Fri, 28 Jul 2017 10:03:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.36.12 with HTTP; Fri, 28 Jul 2017 10:02:33 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 28 Jul 2017 10:02:33 -0700
Message-ID: <CABcZeBOpLyNPwO5_vXEn7h8Up06wg2KVHLLHbg0ECY1zs-3VZw@mail.gmail.com>
To: "stir@ietf.org" <stir@ietf.org>
Content-Type: multipart/alternative; boundary="001a114d6be62182b3055563a8bb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/xfGTeGcL3XDL8xVivFN6X7tMBAQ>
Subject: [stir] Anti-spam with blind signatures
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jul 2017 17:03:17 -0000
As Jon mentioned in Prague, our best privacy story is to encrypt the PASSporT under the recipient's public key, thus protecting the *sender's* identity (though of course not the recipient's [0]). However, the problem now becomes that unauthenticated senders can just spam the CPS. We can significantly mitigate this issue by forcing senders to authenticate each time they want to send an encrypted PASSporT but decoupling that authentication from the actual PASSporT. This comes at a small privacy cost of leaking the velocity at which a caller makes calls (or technically, stores PASSporTs) but not to whom. In order to do this, we can use "blind signatures" [1]. The basic protocol flow is as follows: Sender CPS Authenticate to CPS ---------------------> Blinded(K_temp) -------------------------> <------------- Sign(K_cps, Blinded(K_temp)) [Disconnect] Sign(K_cps, K_temp)) Sign(K_temp, E(K_receiver, PASSporT)) ---> In the first phase, the sender connects to the CPS, authenticates, and sends a blinded version of a freshly generated public key. The CPS returns a signed version of that blinded key. The sender can then unblind the key and gets a signature on K_temp from the CPS Then later, when it wants to send something, the sender connects to the CPS anonymously (note: need to avoid IP linkage here) and sends both the signed K_temp and its own signature over the encrypted PASSporT. The CPS verifies both signatures and if they verify, stores the encrypted passport (discarding the signatures). This design lets the CPS rate limit how many PASSporTs a given sender can store just by counting how many times K_temp appears (there are things we might do to make this easier). Obviously, this isn't perfect because you can't tell if a sender is just sending bogus data, and I don't know how to fix that yet, but it's a big improvement over the status quo. -Ekr [0] Though we could probably get *some* traction here by bucketing these blobs by some granularity courser than recipient identity, such as taking a prefix of H(recipient_pub). [1] https://en.wikipedia.org/wiki/Blind_signature. The way this works is that I can give you a "blinded" version of some message M. You then sign the blinded version and send me the signature, and I "unblind" the signature and recover a signature on M.
- [stir] Anti-spam with blind signatures Eric Rescorla
- Re: [stir] Anti-spam with blind signatures Asveren, Tolga
- Re: [stir] Anti-spam with blind signatures Eric Rescorla