[tor-dev] Questions about "Tor Messenger CONIKS integration"

Anonymous wang.research.mailing.list at gmail.com
Thu Apr 21 16:44:25 UTC 2016 

I see, thanks a lot!

On Wed, Apr 20, 2016 at 5:19 PM, Marcela S. Melara <melara at cs.princeton.edu>
wrote:

> Hi,
>
> You're right, the way CONIKS is designed right now, the private indices
> are computed over the plaintext username, so it would be possible for a
> malicious server to collect newly registered usernames. But there's been
> some preliminary work on private mappings, in which the username is sent
> encrypted to the key server, and only whitelisted users can view the actual
> username (see CONIKS 2.0 report, section 5:
> https://coniks.cs.princeton.edu/static/Rochlin_Michael.pdf). This
> mechanism hasn't been fully developed yet, but it's an additional feature
> that could be built as part of Tor Messenger.
>
> Best,
> Marcela
>
> ----- Original Message -----
> | From: "Go" <simplesmtptest123 at gmail.com>
> | To: tor-dev at lists.torproject.org
> | Sent: Wednesday, April 20, 2016 3:28:06 PM
> | Subject: Re: [tor-dev] Questions about "Tor Messenger CONIKS integration"
>
> | Hi,
> |
> | For the first question: I understand that the private indices obfuscate
> the
> | usernames. But when computing an index i for a username u, the CONIKS
> server
> | will see u in plaintext rather than hashed or encrypted results of u
> (correct
> | me if I'm wrong). In this case, a CONIKS server controlled by an
> attacker will
> | be able to collect the usernames of new registered users, right?
> |
> | Thanks!
> |
> | On Wed, Apr 20, 2016 at 2:53 PM, Marcela S. Melara <
> melara at cs.princeton.edu >
> | wrote:
> |
> |
> |
> | Hi,
> |
> | I think Ismail was trying to answer your first question when he
> described the
> | private indices in the CONIKS key directories. What these private
> indices do,
> | in other words, is obfuscate the usernames in the directory, so an
> attacker who
> | breaks into the server cannot see the usernames registered at the
> compromised
> | key server.
> |
> | As for your second question, we haven't fully fleshed out the mechanism
> you
> | found. But if you want to use Tor Messenger for your Twitter account,
> you will
> | have to register your legitimate Twitter name with the key server. Our
> idea is
> | that you will receive some kind of email with a confirmation link to
> prove that
> | you own the Twitter account. This, by no means, means that Tor Messenger
> now
> | has access to your full account. But Tor Messenger does need to confirm
> that
> | you own the Twitter name you're registering to prevent an attacker from
> trying
> | to impersonate you.
> |
> | It's also important to note that CONIKS uses additional crypto
> mechanisms to
> | ensure that all data (including the public keys) associated with names
> | registered with CONIKS key servers isn't stored in plain.
> |
> | I hope this helps!
> | Best,
> | Marcela
> |
> | On Apr 20, 2016, at 14:28, Go < simplesmtptest123 at gmail.com > wrote:
> |
> |
> |
> |
> | Hi,
> |
> | Thanks for you quick reply. I still have few questions:
> |
> | 1. If one CONIKS server has been compromised, and I happen to register
> to this
> | server; I guess the server can see my username in this case, right?
> | 2. I found the ticket
> https://trac.torproject.org/projects/tor/ticket/17961 .
> | The answer for the second question says "We can ask for a proof of
> ownership of
> | the name...". So when do CONIKS need to do proof of account ownership?
> Could
> | please anyone give me some concrete scenarios? My concern is that in
> order to
> | do proof of ownership, we have to hand out the real accounts to CONIKS.
> |
> | Sorry for being paranoid.
> |
> | Thanks!
> |
> | On Tue, Apr 19, 2016 at 4:57 PM, Ismail Khoffi < ismail.khoffi at gmail.com
> >
> | wrote:
> |
> |
> |
> | Hi there,
> |
> | I don't know about much about the concrete plans for the Tor Messenger
> and
> | CONIKS but I'm quite familiar with the original CONIKS design. First of
> all:
> | I’m sure no one would force you to give your "real" identity, you could
> for
> | instance use large identity provider which is rather difficult to
> compromise,
> | at least for non-state actors (for example gmail and the pseudonym
> | simplesmtptest123 ;-). Maybe, for the Tor messenger integration there
> will
> | be/people might choose some other identity providers (with a stronger
> focus on
> | privacy and more freedom to choose pseudonyms instead of real names).
> |
> | If an identity provider (one of the several "CONIKS servers") is
> compromised,
> | the attacker is able to read the provider's local directory (containing
> public
> | key of already registered providers), he would basically see a more or
> less
> | ‘randomly' looking Merkle tree. Theoretically, the attacker would still
> need to
> | know all the user real-names beforehand to (for instance) query for their
> | public keys. (This is achieved using the following "crypto-tricks":
> identities
> | are stored at a private “index" in the tree; computed using a verifiable
> | unpredictable function from a cryptographic commitment/hash of the
> username
> | instead from the username itself). Of course one would also need to make
> sure
> | that the stored public-key material (in the leaf-nodes) is pruned from
> user
> | identifying data (like an identity in GPG); otherwise the attacker could
> guess
> | the identities from that information.
> | Also, in general, the attacker won’t be able to see that you used Tor
> Messenger
> | from the mere fact that you use a certain identity provider, even if he
> still
> | could recompute your user-name from the directory.
> |
> | Hope that helps?
> | Ismail
> |
> |
> |
> |
> |
> | On 19 Apr 2016, at 21:28, Go < simplesmtptest123 at gmail.com > wrote:
> |
> | Hi,
> |
> | CONIKS seems to be a very useful system. Just curious: do Tor messenger
> users
> | need to hand out their real identities (facebook account, twitter
> account,
> | etc.) to CONIKS servers? If so it seems dangerous to put all the
> identities in
> | a centralized service. If the CONIKS servers have been compromised, will
> the
> | attacker be able to figure out the social networking profiles of Tor
> messenger
> | users?
> |
> |
> | Thanks!
> | _______________________________________________
> | tor-dev mailing list
> | tor-dev at lists.torproject.org
> | https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
> |
> |
> | _______________________________________________
> | tor-dev mailing list
> | tor-dev at lists.torproject.org
> | https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
> |
> |
> |
> |
> |
> | _______________________________________________
> | tor-dev mailing list
> | tor-dev at lists.torproject.org
> | https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
> |
> | _______________________________________________
> | tor-dev mailing list
> | tor-dev at lists.torproject.org
> | https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
> |
> |
> |
> | _______________________________________________
> | tor-dev mailing list
> | tor-dev at lists.torproject.org
> | https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160421/9e0ba0a7/attachment-0001.html>

More information about the tor-dev mailing list