On Apr 7, 2016, at 8:36 PM, Jon Callas <jon(_at_)callas(_dot_)org> wrote:
On Apr 7, 2016, at 7:55 AM, Bryan Ford <brynosaurus(_at_)gmail(_dot_)com
<mailto:brynosaurus(_at_)gmail(_dot_)com>> wrote:
The whole idea of providing some form of “mining-resistance” in a
fingerprint scheme is to enable the key-owner to invest some effort at
key-creation time, to ensure that any attacker who wants to try to mine for
a key with a similar-looking fingerprint will have to invest a *lot* more
time and effort, not just a little.
Does this make sense?
I believe I understand you.
You're complexifying key creation for a hypothetical, movie-plot attack.
This attitude, that IETF-standardized protocols should not attempt to address
known or foreseeable weaknesses unless there are documented cases of those
specific attacks happening in the wild *right now*, is one key reason Internet
security is in such a horrific state. When protocol designs only ever attempt
to address attacks that have already been documented in the wild - and calling
all other attacks “movie-plot” scenarios - by definition you’re always playing
catch-up and attackers will always be ahead. The pervasiveness of this
attitude, while understandable, makes me sad.
In the case of fingerprint-mining, we actually do have documented evidence of
that occurring, the most obvious and well-known being Facebook’s vanity .onion
address. The fact that Facebook was not maliciously attacking anyone else - in
effect they were only “attacking” their own brand-name by mining for a
public-key whose .onion address would look like it - does not change the fact
that their action demonstrated that both the capability and the incentives
exist in the real-world to mine for fingerprints that look similar to
something-or-other. If it so happened that the “real” Facebook was mounting
this attack against its own brand, the next time it might be a fake Facebook
imposter mounting the same attack against Facebook by creating a
similar-looking vanity name and hoping users will fall for it. The issue is
not who or what the fingerprint-miner is trying to make their mined fingerprint
look like; the issue is that such attacks are clearly practical.
Documented fingerprint-mining attacks have occurred in other domains too: for
example, not too long ago I remember that it was found that the Ripple ledger
was vulnerable to “Transaction ID” fingerprint-mining attacks that were
actually being exploited, in which an attacker mined for low-numbered
transaction IDs which would cause their transactions to get processed first and
provide arbitrage opportunities. Obviously the fingerprint-mining was for a
fairly different purpose in this case, but still it’s another documented
example of the same general class of weakness: i.e., an attacker mining for a
hash-based fingerprint that looks kinda like something that will help him get
what he wants in some way.
Bryan
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp