On Mon, 2 Sep 2013 19:53:03 +0200 Faré <fah...@gmail.com> wrote: > On Mon, Sep 2, 2013 at 7:19 PM, Perry E. Metzger > <pe...@piermont.com> wrote: > > On Mon, 2 Sep 2013 03:00:42 +0200 Faré <fah...@gmail.com> wrote: > >> >> At intervals, the trustworthy organization (and others like > >> >> it) can send out email messages to Alice, encrypted in said > >> >> key, saying "Hi there! Please reply with a message containing > >> >> this magic cookie, encrypted in our key, signed in yours." > >> >> > >> The cookie better not be a a value that the organization can > >> skew with its own "random" source, but be based on a digest of > >> consensual data, such as the date (with sufficiently coarse > >> resolution), the top of the consensual database (if any), > >> public weather measurements from previous day, etc. > > > > I don't understand why. The security requirement is that third > > parties must *not* be able to predict the token, because then they > > could sign the token without controlling the email address. The > > only organization that can know the cookie is actually the > > organization sending the cookie out. You appear to have inverted > > the security requirement... > > > In my scheme, no one can predict it, everyone can postdict it, > *after* the "trusted" organization published its salt, at which > point it's too late to send it signed confirmations. > Therefore, neither side can cheat.
I don't see what threat this averts. If the sending organization is cheating, this does not stop them from pretending that they received a signed cookie in a round trip. It just seems to add complexity. The only interesting form of cheating I can think of is pretending a round trip existed when it did not. > In particular, the "trusted" organization has precious little power > to extract information by handing users carefully crafted cookies. I don't see how that is an issue either, unless you are referring to chosen plaintext attacks, but the encryption format had better already defend against those. > For even less power, the organization can publish digests of its > salts years in advance. Again, I don't understand the threat being defended against. Can you articulate exactly what was possible before that is not possible in the scheme you propose? Perry -- Perry E. Metzger pe...@piermont.com _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography