From: tcmay@netcom.com (Timothy C. May)
Date: Sat, 14 May 94 14:02:08 PDT
To: hfinney@shell.portal.com (Hal)
Subject: Message Havens, Pools, and Usenet
In-Reply-To: <199405141940.MAA21337@jobe.shell.portal.com>
Message-ID: <199405142101.OAA21966@netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


> 
> Would it have to be public knowledge which message havens a given
> pseudonym monitors?  Suppose I want to get mail to Pr0duct Cypher; don't
> I have to know which haven(s) to use?  If we have only a (few?) hundred
> people on each haven then this narrows down the pool of possible real
> user who are behind that pseudonym considerably.
> 
> Hal

I must be missing something in this recent debate about "message
havens" and "gopherholes." 

To wit, what happened to the idea of posting anonymously to
newsgroups? This is how folks apparently communicated with BlackNet,
and it worked (I ought to know). Granted, BlackNet was a small
experiment, and message traffic was slight; scaling issues need to
eventually be considered, but we're very far from that now.

Some points:

* Posting to a newsgroups allows piggy-backing on two things:

1. The world-wide distribution (in most cases) of newsgroups. The
newsgroups are distributed to zillions of local sites, making
attempted analysis of who is checking for messages all the more
difficult.

2. Piggy-backing of use of newsreaders. That is, I can use "tin" or
whatever to scan alt.w.a.s.t.e or alt.test.gif.ignore for reasonable
candidates (more on identifying these below). I can mark some number
of them (the ones I really want plus some number of others) for
forwarding/downloading/whatever to me. All with existing systems.

* How do I know which messages are for me?

1. Maintain the subject line. Not through all remailers, natch.
Suggestion: add a field below the "Request-Remailing-To:" line, like
so:

::
Request-Remailing-To: foo@bar.baz
Subject: BlackNet--please read

Naturally this would be in the last, innermost encrypted message. None
of the earlier remailers could see it. Only the mail-to-Netnews
remailer would see it.

(A variation: If a Subject line _ever_ is nonblank, it is maintained
across remailers. Then the sender can "instantiate" the subject line
at whatever stage he wishes and later remailers will "honor" that
subject line. Yes, the usual possibilities for abuse, mistrust, etc.)

2. Alternatively, consider a two-part message format: header and body.
As Karl, Hal, and others have discussed, a short header (<1K) is still
secure but can be decrypted in reasonable time.

(This is analogous to the "frame bits," or whatever, that are used to
signal the beginning of a message in spread spectrum messages. I don't
recollect the exact name of these header bits, but Phil Karn surely will.)

Using message pools with existing newsreaders, one can go through all
the messages and decrypt the headers. Instead of marking them "read,"
they essentially get marked as "tried." (For various reasons, I'd
recommend calling them "read"--and of course piggybacking on the
existing newsreaders.)

A two-part PGP format would not be inconceivable. Many messages have
multiple parts. (And the Mac uses a "data fork" and "resource fork"
format.)

And I am unclear on this idea, but it seems plausible that a shortened
form of the key agreed upon (the recipient's key) could be used as the
title, or the first part of the title. Like the shortened keys
("fingerprints") on business cards and in sigs.

(This needs more work, and I may not have explained it here in enough
detail. An example may help. Alice wants to communicate with Bob,
whose public key she knows (a public key probably generated just for
this set of transactions, of course). Its fingerprint is "6h 34 sO 9h
31 gX 3D ....." Alice replies to the pool, and included just the first
few digits, or up to half or so. This is enough for Bob to immediately
see which messages are probably his (small chance of hash collision),
but not enough for others to know his public key (which actually isn't
"public" in the conventional sense of being broadcast, though it may
be) and thus send their own spoofing messages.)

3. Brute-force. Simply download _all_ messages in a pool and attempt
decryption. This may be nearly as fast--and is certainly more
straightforward--as the header/body approach. Download the messages
and tell your computer to try each one...then walk away and have
lunch. Or let it run overnight for truly large batches. 

Until pool usage gets much larger than it is today, no big deal.

And if and when pool usage grows, multiple news groups or pools can be
used to increase the "address space." (When the original contact is
made, even between anonymous-to-each-other respondents, a "pointer" to
another message pool can be made. For example, "Thanks, Unicorn, for
responding. Let's continue this in alt.test.images with the subject
line of "Just testing this thing--ignore.")

4. Is this bad "Net Citizenship" to use the Usenet this way?

Consider that a single jpeg file in alt.sex.pictures may be 5000
lines, and there are many such picture groups, and you'll immediately
see that all of the message pool text traffic we could reasonably
write in the next 3 years would fit into a couple dozen of these
files! (Well, work out the numbers to your own satisfaction--the
average Cypherpunks post is 100 lines or so.)

5. I do think the WWW/Mosaic/ftp/lynx approach has merit....and the
same points as above apply:

- have subject lines, added in only after several remailings have
occurred

- use a header/body format to allow rapid decryption

- possbibly display part or all of the PGP fingerprint, to allow the
recipient to see which messages are "his." (I maintain that the public
pool/newsreader approach allows for full security; the security comes
from the anonymous pick-up of messages, via wide distribution and/or
"superset pickup" (your own message plus N others, where N is large or
is _all_ messages). Security should not depend on obscurity.)

In summary, message pools represent almost no drain on the Usenet or
on WWW/Mosaic-type systems. Hence, we should use those systems and
piggyback off them whenever possible.


--Tim May

-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^859433 | Public Key: PGP and MailSafe available.
"National borders are just speed bumps on the information superhighway."