You have just proved me right. Duplicating a 32-bit key ID requires just enough effort to keep casual attackers out. You have a small incentive to carry out the attack, you are able to do it, and yet, your judgement is that it's not worth the effort. I won. That's how good security works. Consider this: If I only check the 32-bit ID, I'm very probably on the safe side. If two keys with the same 32-bit ID show up, I do some more expensive checks to figure out what's going on. Rational attackers know this, and realize that they probably won't achieve much by attacking the 32-bit ID, and since it takes considerable effort (one hour of computing time is good enough) they just won't do it.
I'm not taking multiple target attacks into account, because for most applications they don't make sense from an economic point of view. What if you manage to impersonate a random person in a very superficial way? How is it beneficial for the attacker? Remember that attacks are events which are harmful for the victim and beneficial to the attacker.
Also note that attacking the 64-bit ID is completely out of reach for most practical purposes.
Believe or not, I do unserstand Zooko's triangle and its implications: you can't have ID's which are globally unique, human memorable and self-authenticating at the same time, but you can have any two of these properties. But all that is about perfect security stuff. In practice, you can (and should!) make compromises: a 32-bit key ID is almost unique, difficult (but possible) to remember and provides a weak self-authentication.
Now, this is clearly not enough as the only security measure in place, but it is a perfect solution for your first line of defense. Since there can be additional security measures in place (third-party authentication, expensive checking of 64-bit or full 160-bit IDs, etc, etc, etc) it will be irrational for attackers to breach even this first line even though it is technically possible.
Think of banknotes. There is a multitude of security measures in place, but you check only the most superficial ones, because in theory you could check all the others too, so in practice you actually don't have to, because even the superficial ones take some effort to attack and it doesn't guarantee success. In a foreign coutry, you will probably gladly accept paper money that you have never seen before simply on the grounds that it looks like money that is expensive to counterfeit.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
timeasmymeasure
Re: Zooko's triangle
Date: 2007-03-06 11:29 am (UTC)Consider this: If I only check the 32-bit ID, I'm very probably on the safe side. If two keys with the same 32-bit ID show up, I do some more expensive checks to figure out what's going on. Rational attackers know this, and realize that they probably won't achieve much by attacking the 32-bit ID, and since it takes considerable effort (one hour of computing time is good enough) they just won't do it.
I'm not taking multiple target attacks into account, because for most applications they don't make sense from an economic point of view. What if you manage to impersonate a random person in a very superficial way? How is it beneficial for the attacker? Remember that attacks are events which are harmful for the victim and beneficial to the attacker.
Also note that attacking the 64-bit ID is completely out of reach for most practical purposes.
Believe or not, I do unserstand Zooko's triangle and its implications: you can't have ID's which are globally unique, human memorable and self-authenticating at the same time, but you can have any two of these properties. But all that is about perfect security stuff. In practice, you can (and should!) make compromises: a 32-bit key ID is almost unique, difficult (but possible) to remember and provides a weak self-authentication.
Now, this is clearly not enough as the only security measure in place, but it is a perfect solution for your first line of defense. Since there can be additional security measures in place (third-party authentication, expensive checking of 64-bit or full 160-bit IDs, etc, etc, etc) it will be irrational for attackers to breach even this first line even though it is technically possible.
Think of banknotes. There is a multitude of security measures in place, but you check only the most superficial ones, because in theory you could check all the others too, so in practice you actually don't have to, because even the superficial ones take some effort to attack and it doesn't guarantee success. In a foreign coutry, you will probably gladly accept paper money that you have never seen before simply on the grounds that it looks like money that is expensive to counterfeit.