![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
(no subject)
Jan. 8th, 2008 03:19 pmI saw this on slashdot today: shimmer. It was exciting; I'd thought of a similar idea in undergrad when I heard about "port knocking" while reading Goldreich's first book: http://books.google.com/books?id=uyhDTk-2arMC&dq=oded+goldreich+foundations+cryptography
I think that the time dependence is a big problem - if the client and server clocks are more than two minutes out of sync, no authentication is possible. Any protocol depending on a global oracle for synchronization should be easy to DoS. Anyway, I know that I've had more time drift than that, many times; even not counting daylight savings time(s), leap seconds &c.
When I had this similar idea, it was as an application of a property of pseudo random number generators (PRNGs, pron. "p-rings"), roughly that you can reseed a PRNG with the least significant bits of previous output, without compromising cryptographic strength (i.e. this procedure is proven to not make things any worse). Then, the two parties can track and perpetuate their state forever, by extending each other's sync-strings under cryptographic cover of the previous state exchanges... i.e., replace global time, with a local time defined by where along the sync-string each client is. The problem is linear growth in memory/storage use on the server side to keep track of "where" the client is. The potential solution is then to transfer to the client, the burden of maintaining state. I don't intuitively see why it can't be done the way ssh does it, but it's been a long time since I've thought about it. Maybe I'm missing something extremely fundamental & serious.
Also, why does the new Opera suck? It crashes every few minutes to halfhour under both winXP and linux. The flashplugin usually (but not always) crashes it; however, don't worry - you don't need it, sometimes it crashes automatically.
I think that the time dependence is a big problem - if the client and server clocks are more than two minutes out of sync, no authentication is possible. Any protocol depending on a global oracle for synchronization should be easy to DoS. Anyway, I know that I've had more time drift than that, many times; even not counting daylight savings time(s), leap seconds &c.
When I had this similar idea, it was as an application of a property of pseudo random number generators (PRNGs, pron. "p-rings"), roughly that you can reseed a PRNG with the least significant bits of previous output, without compromising cryptographic strength (i.e. this procedure is proven to not make things any worse). Then, the two parties can track and perpetuate their state forever, by extending each other's sync-strings under cryptographic cover of the previous state exchanges... i.e., replace global time, with a local time defined by where along the sync-string each client is. The problem is linear growth in memory/storage use on the server side to keep track of "where" the client is. The potential solution is then to transfer to the client, the burden of maintaining state. I don't intuitively see why it can't be done the way ssh does it, but it's been a long time since I've thought about it. Maybe I'm missing something extremely fundamental & serious.
Also, why does the new Opera suck? It crashes every few minutes to halfhour under both winXP and linux. The flashplugin usually (but not always) crashes it; however, don't worry - you don't need it, sometimes it crashes automatically.
