<div dir="ltr"><div>Pond is a great advance for secure messaging, but it suffers from the fact that I can't send someone a cold intro if they don't already know me. For that reason it does not solve the Snowden/Greenwald problem.<br>
</div><div><br></div><div>Pond users <i>do</i> have email-address like things and servers <i>could</i> receive and store arbitrary messages: it's only the "forward secure or nothing" policy that forbids this. If you knew a static public key+server key for a Pond user, you could send an message with the DH KeyExchange protobuf attached and bootstrap the conversation that way.</div>
<div><br></div><div>So for many interesting conversations we end up back at the decades old PKI problem, which is what this message is about. </div><div><br></div><div><b>Problem statement</b></div><div><br></div><div>The traditional PKI allows me to select a public key and work with a well known CA to bind that key to some identity, additionally, to publish that in some directory. When the fact that someone uses encrypted email is not sensitive, it's useful. But it suffers from several flaws:</div>
<div><ul><li>Although obtaining a cert for an email address is not too hard, often people think in other terms. Snowden may not have known Greenwald's email address at the start, he just knew he wanted to talk to "an American guy with the name Glenn Greenwald, who writes this particular blog" and maybe "who looks like this photo/video I saw". Finding the right email address introduces a potential for a savvy opponent to MITM messages right from the start.<br>
<br></li><li>Obtaining a CA cert for a natural name requires showing some proof of identity, but is annoying and expensive to obtain. I got mine by going to the local post office and paying a fee, then waiting a day or two. Hardly anyone will put up with this.<br>
<br></li><li>Even if you obtain such a cert, it typically only attests to your legal name and your email address. But names are not unique and can collide. Social networks use name+photo plus other useful details as disambiguators, but in practice X.509 certs do not allow this.<br>
<br></li><li>The directories are LDAP based and suck, so nobody uses them.</li></ul></div><div>PGP key servers solve some of these problems, but the entries are unauthenticated by anything except the WoT which leaks valuable social metadata. Plus finding a path through the WoT can often be hard or impossible.</div>
<div><br></div><div>It would be ideal if a user could create a findable human-oriented identity similar to that of a social network, but that was hard to forge, and which bound that identity to a public key. Additionally to do it for free, from home, without any special new infrastructure like new CAs.</div>
<div><br></div><div><b>e-Passports</b></div><div><b><br></b></div><div>Starting from the early 2000's the international passport system (run by the International Civil Aviation Organisation or ICAO) started being upgraded to feature NFC readable chips that contain a copy of the data inside the paper version, digitally signed by the issuing government. Some passports have additional data and features, however they do not concern us here.</div>
<div><br></div><div>If you have a passport and it was replaced in recent years it probably already supports NFC. The wikipedia page here has an excellent list of each countries implementation of the scheme:</div><div><br>
</div><div><a href="http://en.wikipedia.org/wiki/Biometric_passport">http://en.wikipedia.org/wiki/Biometric_passport</a><br></div><div><br></div><div>The basic contents of the e-Passport are authenticated by a regular X.509 certificate chain and encrypted under a simple low entropy key derived from details written on the photo page. This means the data is readable by anyone with an NFC capable Android phone, using e.g. this app:</div>
<div><br></div><div><a href="https://play.google.com/store/apps/details?id=nl.novay.nfcpassportreader&hl=en">https://play.google.com/store/apps/details?id=nl.novay.nfcpassportreader&hl=en</a><br></div><div><br></div>
<div>Using this app you can obtain a copy of your e-Passport details by doing nothing more than pointing your camera at the machine-readable zone at the bottom of the photo page (to calculate the BAC key) and then holding the phone against the passport for a few seconds. With an appropriate GUI this is a task anyone with a passport and compatible phone can accomplish.</div>
<div><br></div><div>Some passports have an unextractable private key hidden inside them. It should be obvious how this could be used to in turn sign a short-term private key that is usable for encrypted messaging, with the public part (including a clear photo) uploaded to a searchable, Facebook like directory.</div>
<div><br></div><div>However this plan has a couple of fatal flaws:</div><div><ol><li>Most passports do not have such a private key inside them, presumably for cost reasons. Therefore it cannot work for most people.</li><li>
It requires uploading a full copy of the data inside your passport, including things like your passport number. This is inflexible and many would refuse to do this.</li></ol></div><div><br></div><div><div><b>General zero knowledge proofs</b></div>
<div><br></div><div>It is expected that within the next year or two a fully usable ZKP framework will become available via libsnark:</div><div><br></div><div><a href="https://github.com/scipr-lab/libsnark">https://github.com/scipr-lab/libsnark</a><br>
</div><div><br></div><div>Some code is already available but is currently too low level to be useful. But the researchers have created, amongst other things, a version of GCC that compiles imperative C programs down to a form which can be turned into a very small zero knowledge proof with both private and public inputs allowed. Those programs can have private inputs, they can contain loops, reuse existing C libraries and do other things that have historically been impossible to accomplish under zero knowledge. And they plan to get most of it out there under open source licenses.</div>
</div><div><br></div><div><br></div><div><b>ZKPOP</b></div><div><b><br></b></div><div>By combining libsnark with the Android NFC passport reader, we should be able to build a proof that the user has a valid certificate signed by a national passport agency, but selectively revealing only the parts the user wishes. Additionally, by setting a private key as a private input, and the public key as a public input, we can bind this proof to a key of our choosing.</div>
<div><br></div><div>This has a couple of interesting uses for building a private messaging system:</div><div><ul><li>By selectively revealing things like real name, photo, and year of birth and publishing the proof to a searchable directory, we can easily create a Facebook-like directory of verified public keys without the need for the user to leave their own home and without the need to rely on social networks of key verifiers.<br>
<br>This can help mitigate a Greenwald/Snowden type introduction problem. Although the issuing government could create a fake profile entry, other governments could not (at least not without breaking the security of the other governments passport infrastructure, which we assume they are incentivised to protect). Additionally as the entries are public such behaviour could be noticed quite easily.<br>
<br></li><li>By revealing only a hash of the given passport without anything else, you can create a quasi-anonymous yet expensive identity. This has implications for spam filtering - someone anonymous can send emails, and if they turn out to be an asshat spammer their passport hash can be blocked. This is likely to be a more troublesome roadblock to spamming than an IP address block. For Pond, which has low bandwidth, a strong anti-spam solution that does not require metadata analysis seems important.<br>
<br>I say "quasi-anonymous" because an issuing government that is storing the exact bytes written to every passport could of course simply enumerate all of them and reverse the hash. Additionally, governments that record the contents of passports when people travel across borders could also do this. However a government that is not your own/is hostile to your own and where you have never travelled should find deanonymisation hard.<br>
<br>Additionally, any adversary that is <i>not</i> a government should find deanonymisation very hard indeed. Often a weaker threat model is sufficient e.g. you wish to be anonymous not from the NSA but non-state actors you might fear, like a local drug cartel.<br>
</li></ul><div><b><br></b></div><div><b>Other use cases</b></div></div><div><br></div><div>Any system in which sybil attacks are a problem could potentially use these quasi-anonymous credentials to help separate nodes. For example Tor router operators could publish such a ZKPOP that reveals <i>only</i> the issuing country. Clients could then build circuits through routers owned by citizens of countries that dislike each other and are unlikely to co-operate.</div>
<div><br></div><div><b><br></b></div><div><b>Methods of attack</b></div><div><b><br></b></div><div>No key scheme is perfect and nor is this one. Some attacks were already listed above, but additional ones worth highlighting are:</div>
<div><ul><li>Passports are not two factor credentials. Thus anyone who can get physical access to your passport for a few minutes can create an identity as you.<br><br></li><li>People routinely give up their passport when crossing borders, checking in to hotels and doing other travel-related things. So it may be that the number of people who can fraudulently create such identities is high enough to make it unworkable.<br>
<br></li><li>Host governments can manufacture fake identities at will, although only for their own country.<br><br></li><li>There is a trade in stolen or sold passports; it's not uncommon for flights to have people travelling on bogus passports quite successfully as almost all countries do not check for theft.</li>
</ul><div>It might be possible to address the theft issue by having users also do a "salute"; this means they take a selfie (photo or video) in which they are performing some action that was selected by some third party, like holding up a certain number of fingers or holding a code written on paper, with their face clearly visible. The third party then checks that the face in the salute is the same as the face in the passport. In this way they authenticate the act of creating the ZKPOP with their body. How to achieve this in a mostly decentralised setting is a topic for further research.</div>
</div></div>