Follow

does anyone have any ideas on how to do things like authentication sort of securely over the public internet without TLS (very complex, depends on centralized authority)

· · Web · 3 · 0 · 1

@aw spiped? TLS with your own CA? TLS PSK? Wireguard?

@aw I have a script I use that makes a new TLS CA, signs two certificates then deletes the CA private key, so no further certificates can be issued.

@aw Digest auth is slightly better than plaintext but you don’t get any authentication or confidentiality of the actual data after authentication which is kind of sad. And it requires you to store the passwords unhashed which is also a bit lame. I reckon the spipe protocol is a nice compromise between solving enough problems but not being too over complex

@aw ah yep I see I see. You need to prove the identity by signing a challenge I guess, and then decrypt / MAC the message. TLS has some advantages over pure RSA encrypted blob, like perfect forward secrecy. Basically what you’ve got there is PGP I guess. Please tell me if I’m telling you how to suck eggs and this isn’t helpful spitballing though!

@fincham no this is helpful, I think I'm starting to get it. I never took a cryptography or networking course in college lol

@aw right on. Happy to bounce ideas around at any point.

@aw I think whatever you end up with you really want at least bi-directional identity verification, confidentiality, message authentication / integrity, ideally replay protection and ephemeral session keys so someone can’t store and decrypt later.

@fincham here's the context (this is extremely rough, I started it today) github.com/alexwennerberg/nano

90% sure the right answer is just to use TLS. I am thinking about Gemini and how the complexity of TLS undermined some of its goals, but I don't know if there is really a better option.

@aw I have had similar ideas to this before! I love e-mail and I miss the old days. I’ll try give you some more useful feedback tomorrow

@aw
Also I don't feel like using just plain RSA without TLS is going to make anything more usable on retro computers. The hard part of running TLS is not TLS (386es easily did it), the hard part is the cryptography. This isn't the only flaw with Gemini using TLS—and probably not even one you're talking about—but it is a common complaint so I wanted to put that out there.

And with any cryptosystem (even home rolled ones) your authentication options really are:
1: have some reliable third party affirm the validity of a certificate, an authority on certificates if you will (DANE-style verification also counts here, because your domain registrar asserts that you actually own the domain name)
2: share the keys out-of-band like SSH (see also PGP “web of trust”)
3: trust on first use.
Or just ignore authenticity entirely and exclusively deal with confidentiality and integrity; although that's not a good threat model for anything touching any sort of network.

@fincham

@nytpu thanks for the feedback.

I do think that for gemini, TLS was a mistake. Mostly, people use it as a document host, like http 1.0, not as an application with authentication / secrecy

but I think you're definitely right for these contexts. there's no real way to avoid TLS for even semi-secure messaging.

@aw
There's certainly alternatives to TLS with different tradeoffs; but the primary benefit to TLS is the same reason Solderpunk chose it for Gemini: it's so prevalent that it's *the* cryptosystem to use for network streams. Unless you're fully E2EE encrypting your data; but even then TLS wrapped around that is still useful to obscure any unencrypted metadata attached.

And re: TLS on Gemini; yeah I agree. That's why I think people complaining about TOFU is way overblown. In my view, TLS on Gemini is a little bonus to stop people from *trivially* viewing what resource on a capsule you're accessing and that's about it. Not there to stop actors that are already intercepting all your web traffic or for any serious security. Although client certs are fantastic, IMO the best part about Gemini using TLS (my favorite thing about TLS-encrypted IRC too).

@fincham I feel like what I'm getting at is something like:

Open a TCP socket
Do a diffie-hellman key exchange
Send encrypted data over the socket

which is... TLS? lol

@aw heh yeah at some level of simplification yep :P something like sjcl could be a nice wrapper around the bare crypto primitives to avoid some of the pitfalls too. TLS has grown to handle a lot of attacks and edge cases

@aw depends how much up front coordination you allow

SSH lets you do this in a decentralized way but you have to bootstrap your key fingerprint trust somehow

@technomancy Bob has an RSA private+public key pair

Bob wants to get a message meant for his eyes only from some server securely using this RSA private key

what is the simplest way of doing this. am I reinventing tls from first principles.

@aw @technomancy TLS is the process of building a secure connection between two points for streaming bytes. It takes care of the whole chain, with asserting names and stuff, so there's not much you can strip off.

If you really do need to implement your own, perhaps the Noise Protocol Frameworks will be of use: http://noiseprotocol.org/. But like all crypto, reinvent the wheel at your own risks.

@rakoo I think I've been convinced not to fully reinvent this wheel. thanks!

@aw I *am* interested in your usecase, though :)

@aw you can replace the current CA system with something else that isn't backed by government-issued monopolies, one could imagine a method of bootstrapping trust that was more compatible with principles of mutual aid, etc

but you can't replace it with nothing, trust must initially be built from a place outside the system

@aw @technomancy you build trust by signing untrusted interactions, over time. After enough of them you trust whoever holds the key because of what they do, not “who they are”. That’s really the only other “bootstrap” approach besides trusted third party: the signed actions / statements themselves become the third party.

@aw
With any sort of modern cryptography, the complexity is pretty inherent to the algorithm. You're not going to find a secure algo that an arbitrary programmer could implement securely—if they can implement it at all, given how insane elliptic curves and such are.

I'd personally just use TLS. Implementing TLS itself is complex due to the CA system and how everything is negotiated between client and server; but using it is super easy, *with a decent TLS library* (i.e. not OpenSSL, which unfortunately is very common), even just the fact that it wraps an arbitrary TCP stream is super convenient.

As long as you don't need to use it with a mainstream web browser, you don't need a “real” CA; you can use DANE, or your own CA, or out-of-band share fingerprints like in SSH (maybe the style of just passing around a big fingerprints.txt file with fingerprints multiple people independently verified via TOFU), or even just pure Gemini-style TOFU

Sign in to participate in the conversation
Merveilles

Revel in the marvels of the universe. We are a collective of forward-thinking individuals who strive to better ourselves and our surroundings through constant creation. We express ourselves through music, art, games, and writing. We also put great value in play. A warm welcome to any like-minded people who feel these ideals resonate with them.