[liberationtech] New protocol sacrifices bandwidth for metadata privacy

Seth David Schoen schoen at eff.org
Mon Aug 4 12:39:50 PDT 2014 

Natanael writes:

> Reminds me of I2P's Bote mail. Similar in concept and functionality.
> I2P is a traffic anonymization network similar to Tor, Bote mail works
> on top of it using DHT for mail distribution. Public keys as
> addresses, no servers and everything is encrypted.

Pond is another important entrant in the traffic analysis resistance
marketplace.

https://github.com/agl/pond

One thing I think is especially important if you're going to try to
propagate every message to every potential recipient is forward secrecy,
because with something like PGP, only someone who was proactively
eavesdropping on you or your network infrastrucure has your old messages,
whereas with a flooding design, _all_ network participants potentially
have, and might be archiving, all old messages.  So any private key
compromise at any point results in quite a wide audience that can go
back and read old traffic.  Someone who thinks they might want to read
your traffic some day might simply join the network legitimately and
start archiving ciphertext, hoping that they get some opportunity to get
ahold of your key one way or another, maybe a few years down the line.

I'm a bit pessimistic about the current Clique: it offers a software
download only over an unauthenticated connection, with a hash placed
on the same unauthenticated page.  The implementation modifies the
Rijndael key schedule (to create a quasi-4096 bit symmetric cipher),
and the documentation refers to it as "self-evident that" this "is not
secure against eavesdroppers with truly unlimited computing power".
I guess that's true inasmuch as an eavesdropper with truly unlimited
computing power can perform 2⁴⁰⁹⁶ operations instantaneously,
but real physical adversaries have physical limits that make it not
particularly self-evident whether Rijndael is secure against them.

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107

More information about the liberationtech mailing list