security of identities

[hasufell]

I am not a security expert, so don't expect too much.

However I think bitmessage currently has zero protection against dictionary and Rainbow table attacks since the passphrase generated identities are always the same.

I could easily set up a spying server creating identities at random and based on dictionaries or commonly used passphrases and thus getting the content of mails that were not intended for me.

The sender would still be kind of anonymous, but the content-data from those mails might help me to get some real-world identities, especially if I run such a spying server at large scale.

[hasufell]

I forgot: You can even manipulate conversations with spoofed identities.

[ghost]

Probably users should be discouraged from creating identities using passphrases and instead use the random generation. Maybe passphrases should be limited to chans.

[hasufell]

Another thing: even the randomly generated identities could potentially have a "collision", no?

[nimdahk]

Another thing: even the randomly generated identities could potentially have a "collision", no?

No. That is Almost Sure not to happen, just like with Bitcoin.

[DivineOmega]

This is not a bug, it is a feature. Being able to receive messages on multiple devices is a very useful ability for an email alternative to have.

[grant-olson]

Yep. Feature. This is why they are called 'deterministic' keys.

On a minor tangent, I think the real problem is that it's not immediately obvious how to import/export random keys, and that's not exposed as a feature. That would make it easier for people to stick to random addresses and only use deterministic addresses for things like chans.

[Atheros1]

@hasufell, You misunderstand the purpose of deterministic addresses. You described this as a problem:

reproduce it this way:
    create an identity via passphrase and insert "foo" on PC_1
    repeat on another PC_2 with the same passphrase
    on PC_3 you send an email to that hash/identity => mail shows up on PC_1 and PC_2

..when in fact that is the feature's purpose. It is up to you to use a strong passphrase. The UI even makes this clear:

If you choose a weak passphrase and someone on the Internet can brute-force it, they can read your messages and send messages as you.

[nimdahk]

I've changed my mind (I now oppose deterministic addresses) for one simple reason:

I don't want to rely on the recipient's choice of passphrase.

A majority of passwords used on websites are easily attacked (brute-force, dictionary, etc), and there's no real reason to believe that the UI's clear warning will prevent this from happening with Bitmessage.

With Bitcoin, it's OK: if you send money to someone with a weak deterministic address, they lose the money. You still paid them; it's like a store got robbed after you walked out with your product. With Bitmessage, it's NOT OK: if you send a message to someone with a weak deterministic address, YOU are made vulnerable.

If deterministic addresses are kept as a feature without any changes, every correspondence I make will have to start with a message asking "is this a deterministic address?"

I see two solutions:

• require a huge amount of computing power for deterministic addresses
• require a minimum amount of password entropy (see e.g. zxcvbn)

[ghost]

I agree that given the option to create deterministic addresses many users will just use dictionary words which are easy to brute force. A minimum entropy seems reasonable, although what that minimum value should be I don't know.

[hasufell]

Maybe deterministic addresses should only be used by channels?

Or: would it be possible to inform me if a buddy uses a deterministic address?

edit: maybe the latter is a bad idea