Re: Anonymous Credit
Ben Laurie <[EMAIL PROTECTED]> writes: > Note that you should be rather careful about leaving the private key > lying around, just in case someone guesses who you are. And, in case it > isn't obvious, don't use the key for anything else. Do you really need public key cryptography? What about this: Just remember some phrase, calculate a cryptographic hash of the phrase and the document in sequence, and publish the document along with the hash. If the hash is safe, only you should be able to reveal the prefix which yields the pubished hash together with the document. (This assumes that no man-in-the-middle attacks are possible before the public dissemination of the document and the hash. For example, the publisher might replace the hash with his own creation.) [Moderator's note: an HMAC is *much* safer than simply prepending a key to construct a MAC with a cryptographic hash. --Perry] The advantage is that you don't need to store any data in order to claim authorship later on. The disadvantage: in order to be sacure, the pass phrase has to be quite long, therefore it will be difficult to remember. (Please Cc: me on reply, I don't think I'm subscribed to any of the mailing lists involved.) -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Anonymous Credit
Rich Salz wrote: > > Clever. > > > Note that you should be rather careful about leaving the private key > > lying around, just in case someone guesses who you are. And, in case it > > isn't obvious, don't use the key for anything else. > > Perhaps safer: after you sign the publication, sign a statement of > identity (I am Inego Montoya, and I cracked Ebook as shonw in the paper > signed by the key that signed this), write it to a floppy, and store > that somewhere, then destroy the key. I suppose this is safer, in that it is deniable ("Me? Crack Ebook? Its a setup!"). Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Anonymous Credit: New proposal
On Sat, Sep 01, 2001 at 11:14:56PM -0500, Frank Tobin wrote: > > Simple. The original author should use a trusted time-stamping service to > indicate a trusted 'true' time for the first signature. > Alternatively, Sure, but this was not part of the proposal. And I don't know of any existing time-stamping service which is trusted and provides services to anonymous people. It must be possible to receive the time stamp without revealing your identity or to get a time stamp which can't be tracked to the message to be posted. > the detached signature should be presented ahead of time and distributed > widely. When the document comes out, you prove you have the secret key, > and that your signatures on the document existed in distribution before > the document itself was in distribution. Not really. Makes stealing more difficult, but not impossible. The attacker now has to prevent the distribution of the detached signature *and* has to make the author believe it had successfully been distributed (e.g. fake a mail from a distribution list), then wait for distribution of the full message. Problem: A signature is simply the wrong cryptographic tool. A signature gives non-repudiation, so the owner of the secret key can't deny to have seen the message (which is useless, as long as the identity of the key owner is unknown). But in this case you want to prove that some is the only author, not that he has seen the message, which is a matter of authentication, not message signing. New Proposal: 1. Author generates a public/secret key pair, suitable for authentication (maybe zero knowledge, in case message could bring author to jail...) 2. Author generates a random number (nonce) and calculates Hashsum(concat(random number,message)). 3. Author anonymously publishes the public key from step 1 and the hashsum from step 2 ("I will later claim authorship of a message..."). 4. Some public authorities (as many as possible, whoever should be convinced of authorship later, e.g. mailing list admins, notaries, universities,...) generate a signature for the public key and the hashsum published in step 3. This means: "We will accept the person who authenticates to this public key as the author of the message with this hashsum." This signature is publicly distributed (sent to a mailing list, put on a web server,...) 5. If the author receives enough of these signatures, he can be sure to claim authorship later by using the secret key to authenticate. If the author doesn't receive enough signatures within a given amount of time, he repeats from step 2. 6. Author anonymously publishes the message and the random number. The issuers of the signatures (and whoever trusts them) can now link the message to a public key for authentication. 7. Whenever he wants, author can prove authorship by authenticating to the public key (which might be comfortable if it is a zero-knowledge scheme and the police is waiting...) Hadmut Hadmut - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Anonymous Credit
Removed cross-posts. Hadmut Danisch, at 23:43 +0200 on Sat, 1 Sep 2001, wrote: What does me keep from catching the message, stripping off the signature, add a new signature with my own (secret, freshly created) key but with an older date, publish it with my signature, and later claim to be the author? Simple. The original author should use a trusted time-stamping service to indicate a trusted 'true' time for the first signature. Alternatively, the detached signature should be presented ahead of time and distributed widely. When the document comes out, you prove you have the secret key, and that your signatures on the document existed in distribution before the document itself was in distribution. -- Frank Tobin http://www.neverending.org/~ftobin/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Anonymous Credit
Clever. > Note that you should be rather careful about leaving the private key > lying around, just in case someone guesses who you are. And, in case it > isn't obvious, don't use the key for anything else. Perhaps safer: after you sign the publication, sign a statement of identity (I am Inego Montoya, and I cracked Ebook as shonw in the paper signed by the key that signed this), write it to a floppy, and store that somewhere, then destroy the key. /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Anonymous Credit
>Just thought I should point out that recycling an old idea allows >researchers to publish stuff anonymously that could be illegal under >DMCA (or other ridiculous legislation) and still get the credit when the >world comes to its senses. The formula is simple: create a PGP key and >sign the publication. Publish anonymously (or pseudonymously, if you >prefer) in the usual way (carefully, please!). Once it becomes legal to >claim the credit, prove you have the corresponding private key, and >there you are. just for fun, let's suppose that your anonymous publication was a fine description of how to factor really large numbers in trivial time (and you really don't want every large intelligence agency and their bastard children coming after you). how would you sign that? after all, your paper would effectively be a description of how to sign anything with anyone's public key. [Use an HMAC and a secret only you know, then, or some similar mechanism. If your new method destroys both public key methods and hash functions at the same time, you'll need to be more creative --Perry] -- |-< "CODE WARRIOR" >-| [EMAIL PROTECTED] * "ah! i see you have the internet [EMAIL PROTECTED] (Andrew Brown)that goes *ping*!" [EMAIL PROTECTED] * "information is power -- share the wealth." - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Anonymous Credit
On Sat, Sep 01, 2001 at 09:13:32PM +0100, Ben Laurie wrote: > Just thought I should point out that recycling an old idea allows > researchers to publish stuff anonymously that could be illegal under > DMCA (or other ridiculous legislation) and still get the credit when the > world comes to its senses. The formula is simple: create a PGP key and > sign the publication. Publish anonymously (or pseudonymously, if you > prefer) in the usual way (carefully, please!). Once it becomes legal to > claim the credit, prove you have the corresponding private key, and > there you are. What does me keep from catching the message, stripping off the signature, add a new signature with my own (secret, freshly created) key but with an older date, publish it with my signature, and later claim to be the author? Hadmut [Use a digital timestamping service. Or just publish a hash of the message plus a secret only you know in the newspaper. --Perry] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]