|
Home > Archive > Anonymous Servers > November 2006 > Can someone tell which key you enc'ed with?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Can someone tell which key you enc'ed with?
|
|
| Anonyma 2006-10-24, 1:12 pm |
| I've spent a few minutes looking for the answer to this one and I'm too
damn lazy to ultimately hunt it down..
q. Say I have 20 public keys (like the set of rsa keys for the remailer
network) and my "well resourced" adversary has the same 20 public keys. If
I encrypt a block of text with one of those keys and then post the result
to a.a.m, can my adversary determine which key I used? (ie Can my
adversary determine the target of my post? )
thanks.
| |
| Echeloff 2006-10-24, 1:12 pm |
| >I've spent a few minutes looking for the answer to this one and I'm too
>damn lazy to ultimately hunt it down..
>
>q. Say I have 20 public keys (like the set of rsa keys for the remailer
>network) and my "well resourced" adversary has the same 20 public keys. If
>I encrypt a block of text with one of those keys and then post the result
>to a.a.m, can my adversary determine which key I used? (ie Can my
>adversary determine the target of my post? )
To begin with, what makes you think, that remailers retrieve their
mails from a.a.m.? They only process what's sent to their own mailbox,
decrypt it with their private key and forward the result to the
address that's unveiled by the decryption. If that's another remailer,
the procedure starts all over again. If not, the message gets
delivered to the final addressee. The principle is, that there's
hardly a chance for an external observer to assign in- to outgoing
mail. That's at least how onion routing works.
http://wiki.noreply.org
https://www.panta-rhei.eu.org/pantawiki
https://ssl.dizum.com/help/remailer.html
Hope that helps.
Echeloff
| |
| Nomen Nescio 2006-10-24, 1:12 pm |
| Anonyma <anon-bounces@deuxpi.ca> wrote:
> q. Say I have 20 public keys (like the set of rsa keys for the remailer
> network) and my "well resourced" adversary has the same 20 public keys. If
> I encrypt a block of text with one of those keys and then post the result
> to a.a.m, can my adversary determine which key I used? (ie Can my
> adversary determine the target of my post? )
Yes. The receiver's key id is usually stored in the header of the encrypted
message, so that the receiver doesn't need to try all his private keys.
GnuPG offers an option to insert none or a random key ID into the header
but that might cause problems with the receiver if his software doesn't
know how to handle it.
| |
| Echeloff 2006-10-24, 1:12 pm |
| Sorry, misunderstood the question.
As this seems to become a custom-made solution for a circle of
friends, a surrounding symmetric encryption layer using a key
prearranged with all potential recipient(s) would help. But why not
use some well-tried standard nym server to bypass those problems?
Echeloff
| |
| Borked Pseudo Mailed 2006-11-02, 1:13 am |
| In response to the qestion:
> q. Say I have 20 public keys (like the set of rsa keys for the
> remailer network) and my "well resourced" adversary has the same
> 20 public keys. If I encrypt a block of text with one of those
> keys and then post the result to a.a.m, can my adversary determine
> which key I used? (ie Can my adversary determine the target of my
> post? )
nobody@dizum.com (Nomen Nescio) replied:
> Yes. The receiver's key id is usually stored in the header of the
> encrypted message, so that the receiver doesn't need to try all his
> private keys. ...
and
echeloff@null.dev (Echeloff) replied:
> ... a surrounding symmetric encryption layer using a key
> prearranged with all potential recipient(s) would help.
Thanks both... I've got another quetion that I was hoping to get a quick
answer to..
From the PGP 2.6.3i manual (part 1):
> Encrypting a Message to Multiple Recipients
>
> If you want to send the same message to more than one person, you
> may specify encryption for several recipients, any of whom may
> decrypt the same ciphertext file. To specify multiple recipients,
> just add more user IDs to the command line, like so:
>
> pgp -e letter.txt Alice Bob Carol
>
> This would create a ciphertext file called letter.pgp that could
> be decrypted by Alice or Bob or Carol. Any number of recipients
> may be specified.
q. If I took my encrypted text block and encrypted it again with all 20
public keys simultaneously using the approach above and then posted the
result, would the resulting block be "weak" with respect to my adversary's
ability to determine the target of the inital block "inside"? (or are we
just dealing with 1000's of years to crack rather than 10's of thousands
of years).. (Lets say 2048 bit RSA keys if it matters much).. What about
if there were 75 public keys instead of 20? (PGP 2.6.3i doesn't seem to
specify a limit other than command line length and the key-ids involved
could be reduced to 2 letters each perhaps).
(a "prearranged" key as suggested earlier wouldn't be an option because
I'm assuming my adversary would eventually be able to infiltrate the
secure group (like a rouge remop in the remailer network) and thus get
hold of the shared key needed to remove the surrounding layer)
TIA (again)
| |
|
| On Wed, 1 Nov 2006 21:45:33 -0700 (MST), Borked Pseudo Mailed wrote in
Message-Id: <5a9ad33c640fbc73b71af6eb73cbc5fe@pseudo.borked.net>:
> q. If I took my encrypted text block and encrypted it again with all 20
> public keys simultaneously using the approach above and then posted the
> result, would the resulting block be "weak" with respect to my adversary's
> ability to determine the target of the inital block "inside"? (or are we
> just dealing with 1000's of years to crack rather than 10's of thousands
> of years)
In terms of a brute force attack, you are weakening your encryption from
the point of view that your adversary has a number of potential hits
instead of just one. Take a 1024bit key:
On a single key, that's a hit ratio of 1 in 1.8x10^308
For two keys, it goes down to 9x10^307
For three keys, 6x10^307
I think you can sleep easy at nights with those odds. 
> .. (Lets say 2048 bit RSA keys if it matters much).. What about
> if there were 75 public keys instead of 20? (PGP 2.6.3i doesn't seem to
> specify a limit other than command line length and the key-ids involved
> could be reduced to 2 letters each perhaps).
For encryption to 75 x 2048bit keys:
That's 1 hit in every 4.3x10^614 attemtps.
--
pub 1024D/8ED57743 2003-07-08 Bananasplit Operator
Key fingerprint = 796F 67E0 E890 A0BB BDAE EBB4 94A6 7A09 8ED5 7743
uid Admin <admin.bananasplit.info>
| |
| Dingo Admin 2006-11-02, 7:13 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
On Thu, 2 Nov 2006, Zax <admin@bananasplit.info> wrote:
>On Wed, 1 Nov 2006 21:45:33 -0700 (MST), Borked Pseudo Mailed wrote in
>Message-Id: <5a9ad33c640fbc73b71af6eb73cbc5fe@pseudo.borked.net>:
>
>
>In terms of a brute force attack, you are weakening your encryption from
>the point of view that your adversary has a number of potential hits
>instead of just one. Take a 1024bit key:
>
>On a single key, that's a hit ratio of 1 in 1.8x10^308
>For two keys, it goes down to 9x10^307
>For three keys, 6x10^307
>
>I think you can sleep easy at nights with those odds.
>
>
>For encryption to 75 x 2048bit keys:
>That's 1 hit in every 4.3x10^614 attemtps.
For newbies, remember every time you add "1" to the exponent, the number
increases by 10 times. 5x10^31 is 10 times larger number than 5x10^30.
Just for reference, the number of stars in the Universe is between 3 and 5
x 10^22. The number of atoms that make up the earth is 10^50. The number of
fundamental particles (electrons, protons, neutrons, etc.) is between 10^80
and 10^85.
10^614 is quite a large number.
Dingo Admin
dingoadmin@dingoremailer.com
-----BEGIN PGP SIGNATURE-----
Version: N/A
iQEVAwUBRUpC5cP4uvjsmaBlAQHspQf8D7Dx4LOc
VukrjFeN9kjhXr4bwZ5Tnze2
+rpiqCEpjixCmYlmMinQNOZQos1GGGLoJgjztaXT
7hAUPV1OjmTkOSN5NO+OmXiy
0nsV7hqFSy+ReJ7+AdOueW+j5GpdO3AodnxgfBfZ
vV6Zlv24yCg/ChzKx84Sfuas
ci8YnmWbn2ML+niQFvRVwBXcRJIZgdCAnKAmlRVL
jWUCF3Fk7leA9UCXvjfF9+1V
3PMET0+t3U83pRqZ0fBfhZLrvbFqP8cimVhtIEvY
MrTh60ZhxaY7P6Vl/yIpe9gT
YQju2tvOz1IdcbluEkUOdTfrjaEXGJQTKSW6FjwA
7uvtpEgUsflE3Q==
=mLJn
-----END PGP SIGNATURE-----
| |
| Stray Cat 2006-11-02, 7:13 pm |
|
Echeloff wrote:
>
> To begin with, what makes you think, that remailers retrieve their
> mails from a.a.m.?
Snip.....
Actually, there have been a few remailers in the past that did exactly
this. They had addresses at nym.alias.net that terminated at a.a.m, but
if you wanted to, you could post your to-be-remailed message to a.a.m
and it would be retrieved from there and processed. Off the top of my
head, the Miranda Remailer was one such remailer.
| |
|
| On 2 Nov 2006 19:12:48 -0000, Dingo Admin wrote in
Message-Id: <0X2198U239023.5505555556@anonymous.poster>:
> 10^614 is quite a large number.
Really big. You just won't believe how vastly hugely mindboggingly big
it is. I mean you may think it's a long way down the road to the
chemist..........
Couldn't resist it. :-)
--
pub 1024D/8ED57743 2003-07-08 Bananasplit Operator
Key fingerprint = 796F 67E0 E890 A0BB BDAE EBB4 94A6 7A09 8ED5 7743
uid Admin <admin.bananasplit.info>
| |
| Dingo Admin 2006-11-02, 7:13 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
On Thu, 2 Nov 2006, Zax <admin@bananasplit.info> wrote:
>On 2 Nov 2006 19:12:48 -0000, Dingo Admin wrote in
>Message-Id: <0X2198U239023.5505555556@anonymous.poster>:
>
>
>Really big. You just won't believe how vastly hugely mindboggingly big
>it is. I mean you may think it's a long way down the road to the
>chemist..........
>
>Couldn't resist it. :-)
<VBG>
-----BEGIN PGP SIGNATURE-----
Version: N/A
iQEVAwUBRUpZ/ sP4uvjsmaBlAQFTOAgAjhfv+cjYFewDEn5FLL0oc
5zBm8hobzFO
zIq2V7EbGYUv2okRsDA/ rIlFkvgp30HiX0K7rwysYe8nI6vlZWICehWrJJ6a
5+Xx
8rcMGkkTxsmrJChNRsYBImWcp4ulecns7UMe3+5c
huKJVspFUCSFPSklhNrw8J10
NInm3tBq5qmmwXxbKTssIkAmSObnyXvFF42od0hw
6bmk9QmMM2s3p1ohQfib5WjT
UiiUmfXYQMilRgASAsTMk8kkBs2WrKSA+b7cgjKI
R5yJ51xsG9sc4S+VPWU92Zcx
Y7yluDq2nPZG2tpwt4Ld38vopXEtqnpvxQT/Y0/tYHb6ne0cujfaPg==
=2lak
-----END PGP SIGNATURE-----
| |
| Echeloff 2006-11-02, 7:13 pm |
| Stray Cat wrote:
>Actually, there have been a few remailers in the past that did exactly
>this. They had addresses at nym.alias.net that terminated at a.a.m, but
>if you wanted to, you could post your to-be-remailed message to a.a.m
>and it would be retrieved from there and processed. Off the top of my
>head, the Miranda Remailer was one such remailer.
Interesting, but doesn't this only makes sense if you send the message
to the remailer's nym address? Or did the remailer download all
available message bodies from a.a.m. and try to decode them? Maybe
there were other marks the remailer reacted upon.
Echeloff
| |
| Borked Pseudo Mailed 2006-11-03, 1:13 am |
| > Interesting, but doesn't this only makes sense if you send the message
> to the remailer's nym address? Or did the remailer download all
> available message bodies from a.a.m. and try to decode them? Maybe
> there were other marks the remailer reacted upon.
There is a huge advantage to putting a meesage up on usenet either
initially or as an intermediary hop... it breaks the in-out tracking that
low latency remailers permit to some extent. If every remailer D/L's
every post that "might" include an email for them to injection into the
network, TLA will be unable to tell which one actually injected it..
especially is there were some dummy injections, etc..
| |
| Borked Pseudo Mailed 2006-11-03, 1:13 am |
| >> q. If I took my encrypted text block and encrypted it again with all 20
>
> In terms of a brute force attack, you are weakening your encryption from
> the point of view that your adversary has a number of potential hits
> instead of just one. Take a 1024bit key:
>
> On a single key, that's a hit ratio of 1 in 1.8x10^308
> For two keys, it goes down to 9x10^307
> For three keys, 6x10^307
>
> I think you can sleep easy at nights with those odds.
>
Thanks for the info.. I was just wondering about "leakage" or sonmething
like they describe for programs like "air snort" I think it is that
deduces a WEP key by tracking lots and lots of packets. I thought maybe in
all those (p * q)'s there might be a real problem with encrypting to a
whole bunch of keys.
| |
| Stray Cat 2006-11-03, 1:13 am |
|
Echeloff wrote:
> Stray Cat wrote:
>
>
> Interesting, but doesn't this only makes sense if you send the message
> to the remailer's nym address? Or did the remailer download all
> available message bodies from a.a.m. and try to decode them? Maybe
> there were other marks the remailer reacted upon.
>
> Echeloff
I was just stating how the remailer operator advertised the service:
either send to the address at nym.alias.net, or post to a.a.m. I do not
know whether the remop downloaded all the messages from a.a.m or just
those destined for the remailer. Either way - it made no difference
from the user's perspective.
| |
| Nomen Nescio 2006-11-03, 7:14 pm |
| Borked Pseudo Mailed <nobody@pseudo.borked.net> wrote:
> There is a huge advantage to putting a meesage up on usenet either
> initially or as an intermediary hop...
There's an even bigger disadvantage: It overloads the remailers and
nymservers. Remailers process thousands of messages per day. Nymservers are
not designed to handle such a load for a single user. The remailer's
reply-blocks increase the load on the other real remailers exponentially.
This idea might have some esoteric advantages from an academic viewpoint
but please don't try it in the real world.
| |
| Borked Pseudo Mailed 2006-11-03, 7:14 pm |
| >> There is a huge advantage to putting a meesage up on usenet either
> There's an even bigger disadvantage: It overloads the remailers and
> nymservers. Remailers process thousands of messages per day. Nymservers
> are not designed to handle such a load for a single user. The remailer's
> reply-blocks increase the load on the other real remailers
> exponentially.
>
> This idea might have some esoteric advantages from an academic viewpoint
> but please don't try it in the real world.
Your comments remind me of the non-smoking advocates who quote how much
smoking costs society by adding up all the costs of lung cancer treatments
yet never subtracting the costs of hip-replacements, by-pass surguries,
sibsidised seniors housing, etc, etc that are SAVED when smokers die at 60
instead of living an addition 20 or more years after the "productive"
portion of thier life is over.
First.. you seem to be stuck on Nym-servers and reply blocks for some
reason.. what I am talking about is simply a group of "additional"
operators who monitor usenet (a.a.m or some suitable group) and D/L those
posts that are marked as "remailer injection packets". If each post
indicates a dozen or so (trusted) "pseudo remailers" who D/L the post,
decryprt it, and then, if they are the 1 "chosen target" machine, inject
the packet into the remailer network this would not be some exponential
increase in remailer load.
From a PRACTICAL perspective the procedure could include an
"acknoledgements" post by each "pseudo remailer" perhaps a couple of times
per hour where a flag string (hash of some sort) from each message
successfully decrypted (and if applicable, injected) could provide
feedback to the sender that the message had made it through the system to
that point. This feedback would reduce some of the dependance on the
redundancy that is the REAL cause of high remailer load issues.. (that and
the totally excessive level of ping traffic going through the remailer
system)..
|
|
|
|
|