[Freedombox-discuss] Follow up to the FreedomBox 'bump/hi-five' challenge

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Jun 24 00:39:47 UTC 2011 

On 06/23/2011 07:58 PM, Erik Harmon wrote:
> Why not just generate an ephemeral 256-bit AES key, encode that as a qr
> code, then the freedombox owner transmits their ip address and entire PK
> including sigs using that key?

We need to move away from thinking of an IP address as any sort of
permanent or identifiable resource, so i don't think that necessarily
belongs in the information we're talking about here, unless we're
talking about an acknowledged-to-be-volatile address.

> Via bluetooth, nfc, wifi, or whatever. The qr
> code becomes of reasonable size, there's very low chance of interception,
> and the you can transmit as much as you want right then and there.

this works assuming both parties have the same set of bluetooth, nfc,
wifi, or whatever technologies available at the same time.  In my e-mail
to this list on 2011-06-14, you'll note that i suggested the same thing:

on 2011-06-14, in Message-ID: <4DF7F072.7090606 at fifthhorseman.net>, dkg
wrote:
>> If you want to avoid snooping as well as spoofing, you could transmit a
>> session nonce within the QR code, and broadcast the key encrypted with
>> the session nonce.

However, I don't think this absolves the handshake of the need to
transmit the public key fingerprint in *addition* to the ephemeral AES
key (which i called more generically the "session nonce") in the QRCode.
  Getting the fingerprint via a non-spoofable channel (the line-of-sight
QRcode) is a critical double-check that the information received via
spoofable means (wifi, bluetooth, etc) is actually the data from the
intended sender.

for a concrete example:  let's say Alice shows Bob a QRCode which just
contains the ephemeral AES key.  If Mallory can sneak a peak at the
QRCode, she can broadcast (via the same means as Alice any arbitrary
information, encrypted with that same session key.

But if Alice's QRCode shows both a session key and her fingerprint, then
any faulty information provided by Mallory will be flagged immediately
by Bob's client as invalid, because the fingerprint does not match.  In
this case, Mallory can still snoop on the transaction (because she
caught a glimpse of the QRCode) but she can't reliably inject malicious
content;  Bob's client is protected from malicious content because it
discards anything that does not match the message digest (the fingerprint).

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110623/0bf6800f/attachment-0001.pgp>

More information about the Freedombox-discuss mailing list