Hi,
CONIKS seems to be a very useful system. Just curious: do Tor messenger users need to hand out their real identities (facebook account, twitter account, etc.) to CONIKS servers? If so it seems dangerous to put all the identities in a centralized service. If the CONIKS servers have been compromised, will the attacker be able to figure out the social networking profiles of Tor messenger users?
Thanks!
Hi there,
I don't know about much about the concrete plans for the Tor Messenger and CONIKS but I'm quite familiar with the original CONIKS design. First of all: I’m sure no one would force you to give your "real" identity, you could for instance use large identity provider which is rather difficult to compromise, at least for non-state actors (for example gmail and the pseudonym simplesmtptest123 ;-). Maybe, for the Tor messenger integration there will be/people might choose some other identity providers (with a stronger focus on privacy and more freedom to choose pseudonyms instead of real names).
If an identity provider (one of the several "CONIKS servers") is compromised, the attacker is able to read the provider's local directory (containing public key of already registered providers), he would basically see a more or less ‘randomly' looking Merkle tree. Theoretically, the attacker would still need to know all the user real-names beforehand to (for instance) query for their public keys. (This is achieved using the following "crypto-tricks": identities are stored at a private “index" in the tree; computed using a verifiable unpredictable function from a cryptographic commitment/hash of the username instead from the username itself). Of course one would also need to make sure that the stored public-key material (in the leaf-nodes) is pruned from user identifying data (like an identity in GPG); otherwise the attacker could guess the identities from that information. Also, in general, the attacker won’t be able to see that you used Tor Messenger from the mere fact that you use a certain identity provider, even if he still could recompute your user-name from the directory.
Hope that helps? Ismail
On 19 Apr 2016, at 21:28, Go simplesmtptest123@gmail.com wrote:
Hi,
CONIKS seems to be a very useful system. Just curious: do Tor messenger users need to hand out their real identities (facebook account, twitter account, etc.) to CONIKS servers? If so it seems dangerous to put all the identities in a centralized service. If the CONIKS servers have been compromised, will the attacker be able to figure out the social networking profiles of Tor messenger users?
Thanks! _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Hi,
Thanks for you quick reply. I still have few questions:
1. If one CONIKS server has been compromised, and I happen to register to this server; I guess the server can see my username in this case, right? 2. I found the ticket https://trac.torproject.org/projects/tor/ticket/17961. The answer for the second question says "We can ask for a proof of ownership of the name...". So when do CONIKS need to do proof of account ownership? Could please anyone give me some concrete scenarios? My concern is that in order to do proof of ownership, we have to hand out the real accounts to CONIKS.
Sorry for being paranoid.
Thanks!
On Tue, Apr 19, 2016 at 4:57 PM, Ismail Khoffi ismail.khoffi@gmail.com wrote:
Hi there,
I don't know about much about the concrete plans for the Tor Messenger and CONIKS but I'm quite familiar with the original CONIKS design. First of all: I’m sure no one would force you to give your "real" identity, you could for instance use large identity provider which is rather difficult to compromise, at least for non-state actors (for example gmail and the pseudonym simplesmtptest123 ;-). Maybe, for the Tor messenger integration there will be/people might choose some other identity providers (with a stronger focus on privacy and more freedom to choose pseudonyms instead of real names).
If an identity provider (one of the several "CONIKS servers") is compromised, the attacker is able to read the provider's local directory (containing public key of already registered providers), he would basically see a more or less ‘randomly' looking Merkle tree. Theoretically, the attacker would still need to know all the user real-names beforehand to (for instance) query for their public keys. (This is achieved using the following "crypto-tricks": identities are stored at a private “index" in the tree; computed using a verifiable unpredictable function from a cryptographic commitment/hash of the username instead from the username itself). Of course one would also need to make sure that the stored public-key material (in the leaf-nodes) is pruned from user identifying data (like an identity in GPG); otherwise the attacker could guess the identities from that information. Also, in general, the attacker won’t be able to see that you used Tor Messenger from the mere fact that you use a certain identity provider, even if he still could recompute your user-name from the directory.
Hope that helps? Ismail
On 19 Apr 2016, at 21:28, Go simplesmtptest123@gmail.com wrote:
Hi,
CONIKS seems to be a very useful system. Just curious: do Tor messenger users need to hand out their real identities (facebook account, twitter account, etc.) to CONIKS servers? If so it seems dangerous to put all the identities in a centralized service. If the CONIKS servers have been compromised, will the attacker be able to figure out the social networking profiles of Tor messenger users?
Thanks! _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Hi,
I think Ismail was trying to answer your first question when he described the private indices in the CONIKS key directories. What these private indices do, in other words, is obfuscate the usernames in the directory, so an attacker who breaks into the server cannot see the usernames registered at the compromised key server.
As for your second question, we haven't fully fleshed out the mechanism you found. But if you want to use Tor Messenger for your Twitter account, you will have to register your legitimate Twitter name with the key server. Our idea is that you will receive some kind of email with a confirmation link to prove that you own the Twitter account. This, by no means, means that Tor Messenger now has access to your full account. But Tor Messenger does need to confirm that you own the Twitter name you're registering to prevent an attacker from trying to impersonate you.
It's also important to note that CONIKS uses additional crypto mechanisms to ensure that all data (including the public keys) associated with names registered with CONIKS key servers isn't stored in plain.
I hope this helps! Best, Marcela
On Apr 20, 2016, at 14:28, Go simplesmtptest123@gmail.com wrote:
Hi,
Thanks for you quick reply. I still have few questions:
- If one CONIKS server has been compromised, and I happen to register to this server; I guess the server can see my username in this case, right?
- I found the ticket https://trac.torproject.org/projects/tor/ticket/17961. The answer for the second question says "We can ask for a proof of ownership of the name...". So when do CONIKS need to do proof of account ownership? Could please anyone give me some concrete scenarios? My concern is that in order to do proof of ownership, we have to hand out the real accounts to CONIKS.
Sorry for being paranoid.
Thanks!
On Tue, Apr 19, 2016 at 4:57 PM, Ismail Khoffi ismail.khoffi@gmail.com wrote: Hi there,
I don't know about much about the concrete plans for the Tor Messenger and CONIKS but I'm quite familiar with the original CONIKS design. First of all: I’m sure no one would force you to give your "real" identity, you could for instance use large identity provider which is rather difficult to compromise, at least for non-state actors (for example gmail and the pseudonym simplesmtptest123 ;-). Maybe, for the Tor messenger integration there will be/people might choose some other identity providers (with a stronger focus on privacy and more freedom to choose pseudonyms instead of real names).
If an identity provider (one of the several "CONIKS servers") is compromised, the attacker is able to read the provider's local directory (containing public key of already registered providers), he would basically see a more or less ‘randomly' looking Merkle tree. Theoretically, the attacker would still need to know all the user real-names beforehand to (for instance) query for their public keys. (This is achieved using the following "crypto-tricks": identities are stored at a private “index" in the tree; computed using a verifiable unpredictable function from a cryptographic commitment/hash of the username instead from the username itself). Of course one would also need to make sure that the stored public-key material (in the leaf-nodes) is pruned from user identifying data (like an identity in GPG); otherwise the attacker could guess the identities from that information. Also, in general, the attacker won’t be able to see that you used Tor Messenger from the mere fact that you use a certain identity provider, even if he still could recompute your user-name from the directory.
Hope that helps? Ismail
On 19 Apr 2016, at 21:28, Go simplesmtptest123@gmail.com wrote:
Hi,
CONIKS seems to be a very useful system. Just curious: do Tor messenger users need to hand out their real identities (facebook account, twitter account, etc.) to CONIKS servers? If so it seems dangerous to put all the identities in a centralized service. If the CONIKS servers have been compromised, will the attacker be able to figure out the social networking profiles of Tor messenger users?
Thanks! _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Hi,
For the first question: I understand that the private indices obfuscate the usernames. But when computing an index i for a username u, the CONIKS server will see u in plaintext rather than hashed or encrypted results of u (correct me if I'm wrong). In this case, a CONIKS server controlled by an attacker will be able to collect the usernames of new registered users, right?
Thanks!
On Wed, Apr 20, 2016 at 2:53 PM, Marcela S. Melara melara@cs.princeton.edu wrote:
Hi,
I think Ismail was trying to answer your first question when he described the private indices in the CONIKS key directories. What these private indices do, in other words, is obfuscate the usernames in the directory, so an attacker who breaks into the server cannot see the usernames registered at the compromised key server.
As for your second question, we haven't fully fleshed out the mechanism you found. But if you want to use Tor Messenger for your Twitter account, you will have to register your legitimate Twitter name with the key server. Our idea is that you will receive some kind of email with a confirmation link to prove that you own the Twitter account. This, by no means, means that Tor Messenger now has access to your full account. But Tor Messenger does need to confirm that you own the Twitter name you're registering to prevent an attacker from trying to impersonate you.
It's also important to note that CONIKS uses additional crypto mechanisms to ensure that all data (including the public keys) associated with names registered with CONIKS key servers isn't stored in plain.
I hope this helps! Best, Marcela
On Apr 20, 2016, at 14:28, Go simplesmtptest123@gmail.com wrote:
Hi,
Thanks for you quick reply. I still have few questions:
- If one CONIKS server has been compromised, and I happen to register to
this server; I guess the server can see my username in this case, right? 2. I found the ticket https://trac.torproject.org/projects/tor/ticket/17961. The answer for the second question says "We can ask for a proof of ownership of the name...". So when do CONIKS need to do proof of account ownership? Could please anyone give me some concrete scenarios? My concern is that in order to do proof of ownership, we have to hand out the real accounts to CONIKS.
Sorry for being paranoid.
Thanks!
On Tue, Apr 19, 2016 at 4:57 PM, Ismail Khoffi ismail.khoffi@gmail.com wrote:
Hi there,
I don't know about much about the concrete plans for the Tor Messenger and CONIKS but I'm quite familiar with the original CONIKS design. First of all: I’m sure no one would force you to give your "real" identity, you could for instance use large identity provider which is rather difficult to compromise, at least for non-state actors (for example gmail and the pseudonym simplesmtptest123 ;-). Maybe, for the Tor messenger integration there will be/people might choose some other identity providers (with a stronger focus on privacy and more freedom to choose pseudonyms instead of real names).
If an identity provider (one of the several "CONIKS servers") is compromised, the attacker is able to read the provider's local directory (containing public key of already registered providers), he would basically see a more or less ‘randomly' looking Merkle tree. Theoretically, the attacker would still need to know all the user real-names beforehand to (for instance) query for their public keys. (This is achieved using the following "crypto-tricks": identities are stored at a private “index" in the tree; computed using a verifiable unpredictable function from a cryptographic commitment/hash of the username instead from the username itself). Of course one would also need to make sure that the stored public-key material (in the leaf-nodes) is pruned from user identifying data (like an identity in GPG); otherwise the attacker could guess the identities from that information. Also, in general, the attacker won’t be able to see that you used Tor Messenger from the mere fact that you use a certain identity provider, even if he still could recompute your user-name from the directory.
Hope that helps? Ismail
On 19 Apr 2016, at 21:28, Go simplesmtptest123@gmail.com wrote:
Hi,
CONIKS seems to be a very useful system. Just curious: do Tor messenger users need to hand out their real identities (facebook account, twitter account, etc.) to CONIKS servers? If so it seems dangerous to put all the identities in a centralized service. If the CONIKS servers have been compromised, will the attacker be able to figure out the social networking profiles of Tor messenger users?
Thanks! _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Hi,
You're right, the way CONIKS is designed right now, the private indices are computed over the plaintext username, so it would be possible for a malicious server to collect newly registered usernames. But there's been some preliminary work on private mappings, in which the username is sent encrypted to the key server, and only whitelisted users can view the actual username (see CONIKS 2.0 report, section 5: https://coniks.cs.princeton.edu/static/Rochlin_Michael.pdf). This mechanism hasn't been fully developed yet, but it's an additional feature that could be built as part of Tor Messenger.
Best, Marcela
----- Original Message ----- | From: "Go" simplesmtptest123@gmail.com | To: tor-dev@lists.torproject.org | Sent: Wednesday, April 20, 2016 3:28:06 PM | Subject: Re: [tor-dev] Questions about "Tor Messenger CONIKS integration"
| Hi, | | For the first question: I understand that the private indices obfuscate the | usernames. But when computing an index i for a username u, the CONIKS server | will see u in plaintext rather than hashed or encrypted results of u (correct | me if I'm wrong). In this case, a CONIKS server controlled by an attacker will | be able to collect the usernames of new registered users, right? | | Thanks! | | On Wed, Apr 20, 2016 at 2:53 PM, Marcela S. Melara < melara@cs.princeton.edu > | wrote: | | | | Hi, | | I think Ismail was trying to answer your first question when he described the | private indices in the CONIKS key directories. What these private indices do, | in other words, is obfuscate the usernames in the directory, so an attacker who | breaks into the server cannot see the usernames registered at the compromised | key server. | | As for your second question, we haven't fully fleshed out the mechanism you | found. But if you want to use Tor Messenger for your Twitter account, you will | have to register your legitimate Twitter name with the key server. Our idea is | that you will receive some kind of email with a confirmation link to prove that | you own the Twitter account. This, by no means, means that Tor Messenger now | has access to your full account. But Tor Messenger does need to confirm that | you own the Twitter name you're registering to prevent an attacker from trying | to impersonate you. | | It's also important to note that CONIKS uses additional crypto mechanisms to | ensure that all data (including the public keys) associated with names | registered with CONIKS key servers isn't stored in plain. | | I hope this helps! | Best, | Marcela | | On Apr 20, 2016, at 14:28, Go < simplesmtptest123@gmail.com > wrote: | | | | | Hi, | | Thanks for you quick reply. I still have few questions: | | 1. If one CONIKS server has been compromised, and I happen to register to this | server; I guess the server can see my username in this case, right? | 2. I found the ticket https://trac.torproject.org/projects/tor/ticket/17961 . | The answer for the second question says "We can ask for a proof of ownership of | the name...". So when do CONIKS need to do proof of account ownership? Could | please anyone give me some concrete scenarios? My concern is that in order to | do proof of ownership, we have to hand out the real accounts to CONIKS. | | Sorry for being paranoid. | | Thanks! | | On Tue, Apr 19, 2016 at 4:57 PM, Ismail Khoffi < ismail.khoffi@gmail.com > | wrote: | | | | Hi there, | | I don't know about much about the concrete plans for the Tor Messenger and | CONIKS but I'm quite familiar with the original CONIKS design. First of all: | I’m sure no one would force you to give your "real" identity, you could for | instance use large identity provider which is rather difficult to compromise, | at least for non-state actors (for example gmail and the pseudonym | simplesmtptest123 ;-). Maybe, for the Tor messenger integration there will | be/people might choose some other identity providers (with a stronger focus on | privacy and more freedom to choose pseudonyms instead of real names). | | If an identity provider (one of the several "CONIKS servers") is compromised, | the attacker is able to read the provider's local directory (containing public | key of already registered providers), he would basically see a more or less | ‘randomly' looking Merkle tree. Theoretically, the attacker would still need to | know all the user real-names beforehand to (for instance) query for their | public keys. (This is achieved using the following "crypto-tricks": identities | are stored at a private “index" in the tree; computed using a verifiable | unpredictable function from a cryptographic commitment/hash of the username | instead from the username itself). Of course one would also need to make sure | that the stored public-key material (in the leaf-nodes) is pruned from user | identifying data (like an identity in GPG); otherwise the attacker could guess | the identities from that information. | Also, in general, the attacker won’t be able to see that you used Tor Messenger | from the mere fact that you use a certain identity provider, even if he still | could recompute your user-name from the directory. | | Hope that helps? | Ismail | | | | | | On 19 Apr 2016, at 21:28, Go < simplesmtptest123@gmail.com > wrote: | | Hi, | | CONIKS seems to be a very useful system. Just curious: do Tor messenger users | need to hand out their real identities (facebook account, twitter account, | etc.) to CONIKS servers? If so it seems dangerous to put all the identities in | a centralized service. If the CONIKS servers have been compromised, will the | attacker be able to figure out the social networking profiles of Tor messenger | users? | | | Thanks! | _______________________________________________ | tor-dev mailing list | tor-dev@lists.torproject.org | https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev | | | _______________________________________________ | tor-dev mailing list | tor-dev@lists.torproject.org | https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev | | | | | | _______________________________________________ | tor-dev mailing list | tor-dev@lists.torproject.org | https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev | | _______________________________________________ | tor-dev mailing list | tor-dev@lists.torproject.org | https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev | | | | _______________________________________________ | tor-dev mailing list | tor-dev@lists.torproject.org | https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
I see, thanks a lot!
On Wed, Apr 20, 2016 at 5:19 PM, Marcela S. Melara melara@cs.princeton.edu wrote:
Hi,
You're right, the way CONIKS is designed right now, the private indices are computed over the plaintext username, so it would be possible for a malicious server to collect newly registered usernames. But there's been some preliminary work on private mappings, in which the username is sent encrypted to the key server, and only whitelisted users can view the actual username (see CONIKS 2.0 report, section 5: https://coniks.cs.princeton.edu/static/Rochlin_Michael.pdf). This mechanism hasn't been fully developed yet, but it's an additional feature that could be built as part of Tor Messenger.
Best, Marcela
----- Original Message ----- | From: "Go" simplesmtptest123@gmail.com | To: tor-dev@lists.torproject.org | Sent: Wednesday, April 20, 2016 3:28:06 PM | Subject: Re: [tor-dev] Questions about "Tor Messenger CONIKS integration"
| Hi, | | For the first question: I understand that the private indices obfuscate the | usernames. But when computing an index i for a username u, the CONIKS server | will see u in plaintext rather than hashed or encrypted results of u (correct | me if I'm wrong). In this case, a CONIKS server controlled by an attacker will | be able to collect the usernames of new registered users, right? | | Thanks! | | On Wed, Apr 20, 2016 at 2:53 PM, Marcela S. Melara < melara@cs.princeton.edu > | wrote: | | | | Hi, | | I think Ismail was trying to answer your first question when he described the | private indices in the CONIKS key directories. What these private indices do, | in other words, is obfuscate the usernames in the directory, so an attacker who | breaks into the server cannot see the usernames registered at the compromised | key server. | | As for your second question, we haven't fully fleshed out the mechanism you | found. But if you want to use Tor Messenger for your Twitter account, you will | have to register your legitimate Twitter name with the key server. Our idea is | that you will receive some kind of email with a confirmation link to prove that | you own the Twitter account. This, by no means, means that Tor Messenger now | has access to your full account. But Tor Messenger does need to confirm that | you own the Twitter name you're registering to prevent an attacker from trying | to impersonate you. | | It's also important to note that CONIKS uses additional crypto mechanisms to | ensure that all data (including the public keys) associated with names | registered with CONIKS key servers isn't stored in plain. | | I hope this helps! | Best, | Marcela | | On Apr 20, 2016, at 14:28, Go < simplesmtptest123@gmail.com > wrote: | | | | | Hi, | | Thanks for you quick reply. I still have few questions: | | 1. If one CONIKS server has been compromised, and I happen to register to this | server; I guess the server can see my username in this case, right? | 2. I found the ticket https://trac.torproject.org/projects/tor/ticket/17961 . | The answer for the second question says "We can ask for a proof of ownership of | the name...". So when do CONIKS need to do proof of account ownership? Could | please anyone give me some concrete scenarios? My concern is that in order to | do proof of ownership, we have to hand out the real accounts to CONIKS. | | Sorry for being paranoid. | | Thanks! | | On Tue, Apr 19, 2016 at 4:57 PM, Ismail Khoffi < ismail.khoffi@gmail.com
| wrote: | | | | Hi there, | | I don't know about much about the concrete plans for the Tor Messenger and | CONIKS but I'm quite familiar with the original CONIKS design. First of all: | I’m sure no one would force you to give your "real" identity, you could for | instance use large identity provider which is rather difficult to compromise, | at least for non-state actors (for example gmail and the pseudonym | simplesmtptest123 ;-). Maybe, for the Tor messenger integration there will | be/people might choose some other identity providers (with a stronger focus on | privacy and more freedom to choose pseudonyms instead of real names). | | If an identity provider (one of the several "CONIKS servers") is compromised, | the attacker is able to read the provider's local directory (containing public | key of already registered providers), he would basically see a more or less | ‘randomly' looking Merkle tree. Theoretically, the attacker would still need to | know all the user real-names beforehand to (for instance) query for their | public keys. (This is achieved using the following "crypto-tricks": identities | are stored at a private “index" in the tree; computed using a verifiable | unpredictable function from a cryptographic commitment/hash of the username | instead from the username itself). Of course one would also need to make sure | that the stored public-key material (in the leaf-nodes) is pruned from user | identifying data (like an identity in GPG); otherwise the attacker could guess | the identities from that information. | Also, in general, the attacker won’t be able to see that you used Tor Messenger | from the mere fact that you use a certain identity provider, even if he still | could recompute your user-name from the directory. | | Hope that helps? | Ismail | | | | | | On 19 Apr 2016, at 21:28, Go < simplesmtptest123@gmail.com > wrote: | | Hi, | | CONIKS seems to be a very useful system. Just curious: do Tor messenger users | need to hand out their real identities (facebook account, twitter account, | etc.) to CONIKS servers? If so it seems dangerous to put all the identities in | a centralized service. If the CONIKS servers have been compromised, will the | attacker be able to figure out the social networking profiles of Tor messenger | users? | | | Thanks! | _______________________________________________ | tor-dev mailing list | tor-dev@lists.torproject.org | https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev | | | _______________________________________________ | tor-dev mailing list | tor-dev@lists.torproject.org | https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev | | | | | | _______________________________________________ | tor-dev mailing list | tor-dev@lists.torproject.org | https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev | | _______________________________________________ | tor-dev mailing list | tor-dev@lists.torproject.org | https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev | | | | _______________________________________________ | tor-dev mailing list | tor-dev@lists.torproject.org | https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev