ghosttie13h ago

In an E2EE system, how does Alice know what Bob's public key is?

#cryptography

Show threadOlivier13h ago
@ghosttie it's public, so either Bob can send it to Alice, or if it's part of a system like Signal, then the public key is part (maybe hidden /abstracted) of the user profile data.
Show threadghosttie
@dacmot how does Alice know that's Bob's actual public key and not Mallory's?
4:54pmWeb
Show threadOlivier13h ago

@ghosttie one way would be to meet in person.

In a system like Signal, it would be built in to the user ID. For things like PGP/GPG, websites, or developer signing key, there are multiple mechanisms to verify the key identity. You can use a web of trust (WOT) or keyrings, certificate authorities like DigiCert/Let's Encrypt, or MS/Google/Apple issuing signing keys.

Note that none of those methods are perfect, and a bad actor could still manage to impersonate someone else. But it makes it significantly harder.

Show threadZoarial94 13h ago
@dacmot @ghosttie signal also has safety numbers which should be verified outside of signal. If the safety number changes, then the keys have changed and you might not be talking with the same individual anymore.
Show threadZoarial94 13h ago
@ghosttie @dacmot I think you need a second communication channel. And something to corroborate that multiple channels are controlled by the same person. The most surefire way is to meet in person and confirm the keys. I don't think there's a purely technical way to solve this without putting trust into some central authority. It's inherently a social problem.
Show threadZoarial94 13h ago
@ghosttie @dacmot on mastodon, you can verify websites to your account, but how can you really know it's truely that person and not a well connect imposter? You can't. But you can be reasonably sure.
Show threadghosttie13h ago

@Zoarial94 @dacmot @sophieschmieg so if I was doing Fediverse E2EE messaging, we would assume that the PK we get for a person is correct but unverified, and then verify it OOB?

Kind of unrelated, but are there any civilian-friendly ways of comparing PKs? I remember SSH or something had a way of turning the Big Random Number into a picture that you could more easily see differences in...

Show threadSophie Schmieg12h ago

@ghosttie @Zoarial94 @dacmot I'm not aware of any that have a proven track record of actually working. The problem is that, if you want to have the same security as comparing the entire number, you need to have as much entropy as the number, and all "civilian friendly" ways of encoding information are substantially more verbose than raw bits in hex. So as far as I recall people moved away from things like pictures because the research couldn't show that humans would actually find the difference with high enough accuracy.

But if we're talking about e2ee on the Fediverse in particular (shout out to @soatok ), there is actually another option that I didn't mention in my first post that is uniquely suited here, in key transparency. That's usually a huge pain to deploy and reason about, but gets substantially easier in situations where you may not trust any individual server, but do trust that all of them together do not secretly and maliciously conspire against you.

Show threadSophie Schmieg12h ago
@ghosttie @Zoarial94 @dacmot @soatok key transparency is something like a "good blockchain": no money (and therefore no scams, fraud, or laundering), no proof of work (and therefore no environmental cost), just an append only log that solves the sybil problem via reputation of Fediverse servers. With that you can make it so that all public key registrations happen publicly and no single server operator can lie about which public key belongs to which account without leaving a public trail. That means that while a server could hand Alice Eve's public key instead of Bob's, everyone, including Bob, would learn about that.