[messaging] Google End-to-End plans on using key directories with a CT-like verification protocol

Tony Arcieri bascule at gmail.com
Thu Aug 28 15:17:42 PDT 2014

On Thu, Aug 28, 2014 at 3:08 PM, yan <yan at mit.edu> wrote:

> I guess I don't understand why hashing is necessarily "trivially
> invertible" here. If the threat is large precomputed rainbow tables of
> potential email addresses, you could have the email provider salt the
> hashes before submitting them to the log; or probably easier, have a
> unique "pepper" per email provider that gets rotated on some interval [1]

It seems like using a modern password hashing function (e.g. bcrypt,
scrypt) on the input names, combined with a random salt per user, should be
sufficient to prevent blanket harvesting. There are all sorts of easy ways
to harvest email addresses already, so anything that's harder that the
existing methods should provide a sufficient deterrent.

Alternatively, the directory could tokenize the usernames somehow, e.g.
picking a random UUID per user, or perhaps HMACing their username with a
directory-specific key. The directory could offer a service to map names to
their tokens, and use standard rate limiting / monitoring techniques to
spot abuses by email harvesters.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140828/1900246d/attachment.html>

More information about the Messaging mailing list