Re: [Bitcoin-development] Proposal for P2P Wireless (Bluetooth LE) transfer of Payment URI

[Eric Voskuil <eric@voskuil.org>]

[-- Attachment #1: Type: text/plain, Size: 3940 bytes --]


On 02/05/2015 04:04 PM, MⒶrtin HⒶboⓋštiak wrote:
> That's exactly what I though when seeing the RedPhone code, but after
> I studied the commit protocol I realized it's actually secure and
> convenient way to do it. You should do that too. :)

I was analyzing the model as you described it to me. A formal analysis
of the security model of a particular implementation, based on inference
from source code, is a bit beyond what I signed up for. But I'm
perfectly willing to comment on your description of the model if you are
willing to indulge me.

> Shortly, how it works:
> The initiator of the connection sends commit message containing the
> hash of his temporary public ECDH part, second party sends back their
> public ECDH part and then initiator sends his public ECDH part in
> open. All three messages are hashed together and the first two bytes
> are used to select two words from a shared dictionary which are
> displayed on the screen of both the initiator and the second party.

> The parties communicate those two words and verify they match.

How do they compare words if they haven't yet established a secure channel?

> If an attacker wants to do MITM, he has a chance of choosing right
> public parts 1:65536. There is no way to brute-force it, since that
> would be noticed immediately. If instead of two words based on the
> first two bytes, four words from BIP39 wordlist were chosen, it would
> provide entropy of 44 bits which I believe should be enough even for
> paranoid people.
> 
> How this would work in Bitcoin payment scenario: user's phone
> broadcasts his name, merchant inputs amount and selects the name from
> the list, commit message is sent (and then the remaining two
> messages), merchant spells four words he sees on the screen and buyer
> confirms transaction after verifying that words match.

So the assumption is that there exists a secure (as in proximity-based)
communication channel?

e

> 2015-02-06 0:46 GMT+01:00 Eric Voskuil <eric@voskuil.org>:
>> On 02/05/2015 03:36 PM, MⒶrtin HⒶboⓋštiak wrote:
>>>> A BIP-70 signed payment request in the initial broadcast can resolve the
>>>> integrity issues, but because of the public nature of the broadcast
>>>> coupled with strong public identity, the privacy compromise is much
>>>> worse. Now transactions are cryptographically tainted.
>>>>
>>>> This is also the problem with BIP-70 over the web. TLS and other
>>>> security precautions aside, an interloper on the communication, desktop,
>>>> datacenter, etc., can capture payment requests and strongly correlate
>>>> transactions to identities in an automated manner. The payment request
>>>> must be kept private between the parties, and that's hard to do.
>>>
>>> What about using encryption with forward secrecy? Merchant would
>>> generate signed request containing public ECDH part, buyer would send
>>> back transaction encrypted with ECDH and his public ECDH part. If
>>> receiving address/amount is meant to be private, use commit protocol
>>> (see ZRTP/RedPhone) and short authentication phrase (which is hard to
>>> spoof thanks to commit protocol - see RedPhone)?
>>
>> Hi Martin,
>>
>> The problem is that you need to verify the ownership of the public key.
>> A MITM can substitute the key. If you don't have verifiable identity
>> associated with the public key (PKI/WoT), you need a shared secret (such
>> as a secret phrase). But the problem is then establishing that secret
>> over a public channel.
>>
>> You can bootstrap a private session over the untrusted network using a
>> trusted public key (PKI/WoT). But the presumption is that you are
>> already doing this over the web (using TLS). That process is subject to
>> attack at the CA. WoT is not subject to a CA attack, because it's
>> decentralized. But it's also not sufficiently deployed for some scenarios.
>>
>> e
>>


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]