[messaging] SafeSlinger's Ephemeral Fingerprint

Michael Farb mwfarb at cmu.edu
Wed Jul 2 04:53:12 PDT 2014


Hi Trevor,

You bring up some valid points. Indeed, a SafeSlinger key exchange is as usable as the medium over which it is used. I list below an un-scientific estimate of the availability of a handful of communication channels for all smartphone users (considering current market distribution of all versions of iOS, Android, Windows Phone, and Blackberry) to run the protocol which drove choosing the use of a server for our first implementation. It's true an additional out of band "low number" adds another step, thus lowering usability. However, usability is a broad category, not being able to install the application for hardware restrictions, OS version, or not having the right communication channel available after installation also lowers the usability.

TCP/IP: 100% available, 100% cross-platform, requires an additional out of band grouping number, adds network overhead.
Bluetooth: 100% available, 0% cross-platform (Thanks Apple!), adds some discovery time.
LE Bluetooth: 25% available, 100% cross-platform, adds some discovery time.
NFC: 25% available, 100% cross-platform, adds some discovery time.
WiFi Direct: 25% available, 100% cross-platform, adds minimal discovery time.

To your point about local wireless, it would be great to run the protocol over a local network channel like WiFiDirect or LE Bluetooth, since some countries block our servers outright. Of course we need to design some good usability features to help users decide which channel to use. A simple ping of the server could provide this for 2 mainland China users to determine that BT should be used since our server is blocked, however it doesn't help the case where one user is in mainland China and the other is in the US attempting the exchange. It'll take some UX planning, but could be done.

After consulting with Adrian (I finally remembered to cc him on this DL) about using DH trees, he offers this:

"This paper shows that if communication is slow, then the STR DH tree we are using is very efficient:
https://sparrow.ece.cmu.edu/group/pub/old-pubs/str-toc.pdf

But to scale to larger groups, we should use TGDH:
https://sparrow.ece.cmu.edu/group/pub/old-pubs/ccs2000.pdf

TGDH should be more efficient than the other options, AFAIK."

Cheers,
Mike

Michael W. Farb
Research Programmer, Carnegie Mellon University CyLab
M 412-965-4725 - www.cylab.cmu.edu/safeslinger

On Jun 30, 2014, at 2:53 AM, Trevor Perrin <trevp at trevp.net> wrote:

> On Thu, Jun 26, 2014 at 2:35 PM, Michael Farb <mwfarb at cmu.edu> wrote:
>> 
>> One approach we took with SafeSlinger was to reduce the set of 2-10 public
>> keys of all users who are trying to simultaneously exchange keys to 24-bits
>> through a real-time combined in-band and out-of-band protocol. The advantage
>> is 2-10 people attesting to the same 24-bit ephemeral fingerprint goes
>> pretty quickly.
> 
> Hi Michael,
> 
> Thanks for sending that!
> 
> We had earlier discussion on nearby people exchanging public keys and
> other contact info by using their phones to execute a "pairing"
> protocol, which users authenticate with a "Short Auth String".
> 
> SafeSlinger looks like a well-designed generalization of that for
> small groups.  Everyone in the group verifies the same SAS, instead of
> having each pair of users compare.
> 
> At the moment it looks like communications are through a server, with
> a "compare amongst yourselves and enter lowest ID" step so the users
> can form into groups while preserving client anonymity.
> 
> But that's a useability inconvenience, and the server contact still
> seems like a risk for relationship info (you could contact it over
> Tor, but Tor's not perfect).  I wonder what the prospects are for
> making this work over Bluetooth or other short-range comms.  The
> paper's analysis of message rounds and bandwidth is a little vague, it
> would be nice to see more detail.
> 
> I'm also curious what led you to choose a tree-based group key
> agreement rather than either
> (A) a ring-based GKA (like Burmester-Desmedt or Kim-Lee-Lee [1], e.g.
> do DH with parties to left and right of you, publish the XOR), or
> (B) pairwise encryption to each user's public DH value (at <= 10
> users, it seems like that could be a single message of a few hundred
> bytes).
> 
> Trevor
> 
> [1] https://www.iacr.org/archive/asiacrypt2004/33290243/33290243.pdf

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140702/4c19fa9c/attachment.html>


More information about the Messaging mailing list