[stir] Anti-spam with blind signatures
Eric Rescorla <ekr@rtfm.com> Fri, 28 July 2017 17:03 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35774131CC0 for <stir@ietfa.amsl.com>; Fri, 28 Jul 2017 10:03:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E_rYdd3HCMnV for <stir@ietfa.amsl.com>; Fri, 28 Jul 2017 10:03:15 -0700 (PDT)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74DC0131748 for <stir@ietf.org>; Fri, 28 Jul 2017 10:03:15 -0700 (PDT)
Received: by mail-yw0-x22f.google.com with SMTP id x125so127278626ywa.0 for <stir@ietf.org>; Fri, 28 Jul 2017 10:03:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=L8T7EklHTafEVuYZMTRvFDZ54+FjOxXRF52ckYQCGXo=; b=GPYrliJ1jsJoBtitPQC38SAcoukcHwdXBPRdO95EnlpX6a7ueoGnLI/266A2L9Jg6U u1TmSvSZbueBxGNx+twiQSXBSuIK9ehtx3wrhF4bx1gWTcq8WcF+glqf0OJtLt4Ewtcd FKtiwJtB//X43Qd4JKTxMhqtnlPndpDRTlnmSEuYwKUOrJeMnF+7++ABDmVhtvvEGNGz yayZ+/W9i8pqsc7iFLM7JxN0acLFYJkj1NiJ5Ay3xN5hhUTu5twUzQgC4tlDMKfYHYy3 fkboJEU+rvOzE9jhbnZ5sZSK4KR0mcXuhB5TLICQln6huiSAaRrIyrY1W9zHiIHqZt1D MVoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=L8T7EklHTafEVuYZMTRvFDZ54+FjOxXRF52ckYQCGXo=; b=ScdGtl/g4y62cGoY+jo6Bh7KAyclLOPg2I4X/uFKm/xAxJCRP+hHhkodlz3x36oesI 4rPsunMaFX/AwZCkHRrEDxr0083lTAVDdZQbPcXbEmVz2sJiPH5ZCH9j9pzl7VaeSVK3 jfT4wuSqWKf1jSThw3qPxGEctOKB3T5PVhsv1CxI69nGntXIuioXL6TegZiuYZQoMecU EIzVTl9hHpyAsTKsE+KhPZ/UEkOFuXtTqJbBQIS4MLN/AwsuRGKx0KmmXlR1vP9Btbl4 KnfNoeDgX2vDpb6S+V2rrXC9O3LSqPm/Y1qvtWGh9oyD42NBOGspYk6T9aCgFsrAAZtp CDAg==
X-Gm-Message-State: AIVw110FacmyQ3xMWsihxk1tbofcTyGpU5QSQm9aJkFfkKC2XFasSnDW piCMeLkUrT/HIF7NRey5e43XH2eeiDQZRYA11w==
X-Received: by 10.129.84.5 with SMTP id i5mr123235ywb.321.1501261394416; Fri, 28 Jul 2017 10:03:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.36.12 with HTTP; Fri, 28 Jul 2017 10:02:33 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 28 Jul 2017 10:02:33 -0700
Message-ID: <CABcZeBOpLyNPwO5_vXEn7h8Up06wg2KVHLLHbg0ECY1zs-3VZw@mail.gmail.com>
To: "stir@ietf.org" <stir@ietf.org>
Content-Type: multipart/alternative; boundary="001a114d6be62182b3055563a8bb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/xfGTeGcL3XDL8xVivFN6X7tMBAQ>
Subject: [stir] Anti-spam with blind signatures
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jul 2017 17:03:17 -0000
As Jon mentioned in Prague, our best privacy story is to encrypt the
PASSporT under the recipient's public key, thus protecting the
*sender's* identity (though of course not the recipient's [0]).
However, the problem now becomes that unauthenticated senders
can just spam the CPS.
We can significantly mitigate this issue by forcing senders to
authenticate each time they want to send an encrypted PASSporT but
decoupling that authentication from the actual PASSporT. This
comes at a small privacy cost of leaking the velocity at which
a caller makes calls (or technically, stores PASSporTs) but not
to whom. In order to do this, we can use "blind signatures" [1].
The basic protocol flow is as follows:
Sender CPS
Authenticate to CPS --------------------->
Blinded(K_temp) ------------------------->
<------------- Sign(K_cps, Blinded(K_temp))
[Disconnect]
Sign(K_cps, K_temp))
Sign(K_temp, E(K_receiver, PASSporT)) --->
In the first phase, the sender connects to the CPS, authenticates,
and sends a blinded version of a freshly generated public key. The
CPS returns a signed version of that blinded key. The sender can
then unblind the key and gets a signature on K_temp from the CPS
Then later, when it wants to send something, the sender connects
to the CPS anonymously (note: need to avoid IP linkage here) and
sends both the signed K_temp and its own signature over the
encrypted PASSporT. The CPS verifies both signatures and if they
verify, stores the encrypted passport (discarding the signatures).
This design lets the CPS rate limit how many PASSporTs a given
sender can store just by counting how many times K_temp appears
(there are things we might do to make this easier). Obviously,
this isn't perfect because you can't tell if a sender is just
sending bogus data, and I don't know how to fix that yet, but it's
a big improvement over the status quo.
-Ekr
[0] Though we could probably get *some* traction here by bucketing
these blobs by some granularity courser than recipient identity, such
as taking a prefix of H(recipient_pub).
[1] https://en.wikipedia.org/wiki/Blind_signature. The way this
works is that I can give you a "blinded" version of some message M.
You then sign the blinded version and send me the signature, and
I "unblind" the signature and recover a signature on M.
- [stir] Anti-spam with blind signatures Eric Rescorla
- Re: [stir] Anti-spam with blind signatures Asveren, Tolga
- Re: [stir] Anti-spam with blind signatures Eric Rescorla