From daw@delhi.CS.Berkeley.EDU Thu Dec 7 16:26:04 PST 1995 Article: 26457 of hks.lists.cypherpunks Path: hks.net!daw From: daw@delhi.CS.Berkeley.EDU (David A Wagner) Newsgroups: hks.lists.cypherpunks Subject: Re: Still more on the Digicash protocol Date: 8 Dec 1995 00:15:36 GMT Organization: University of California, Berkeley Lines: 62 Message-ID: <4a8038$s7s@old-bb.hks.net> References: <199512071610.KAA16536@admin.starnet.net> NNTP-Posting-Host: delhi.cs.berkeley.edu Just a clarification about my comments on privacy against eavesdroppers with Digicash. I admit I didn't express myself very well the first time. In article <199512071610.KAA16536@admin.starnet.net>, Mark Twain Ecash Support wrote: > > >Worse still, anonymity for the shop is worse with Digicash than with real > >cash. If I pay you real cash on a secluded street, you're fairly anonymous. > >If I pay you Digicash over the Internet, any passive eavesdropper could be > >recording your identy and the whole transaction. Blech. > > This is raising an issue that has nothing to do with Ecash. The complaint is > in fact about the lack of a gereral link encryption on the Internet. I agree > that this is needed, but providing it really isn't Ecash's job. I am eagerly > anticipating the general use of IPSEC. > Hrm, I think you misunderstood what I was trying to say. Assume the attacker is not doing any traffic analysis. The problem is that even then, the shop's identity (and product info, and payment amount, and bank ID, etc.) are still sent *in the clear* in the Digicash payment protocol. Thus all those items can be correlated to the payee's identity: a complete loss of privacy for the shop. There's no need to send that payment info in the clear -- why not encrypt? If it is encrypted, a passive eavesdropper can only learn the payer's & payee's identity if he uses traffic analysis, and even then he doesn't know the payment amount, product description, etc. For all he knows, the transaction could've been a $0.01 cent donation to Sameer for his anonymous remailer, or it could've been a $10,000 transfer to Sameer's machine in (virtual) Anguila-space for a few dozen Apache servers. (So this also has implications for payer anonymity & privacy, not just payee privacy. When payment info is sent in the clear, and the eavesdropper is doing traffic analysis (e.g. by sniffing the link out from a small business), the eavesdropper can correlate payer's identity with the payment amount, product description, and other buying habit information. When Digicash protocol messages are encrypted, this information isn't released, and can't be correlated with payer identity, even when traffic analysis is being done.) That's why I really wish Digicash were encrypting all its messages. And I'm very glad to hear that Digicash will support sending the entire protocol over a SSL-protected link. Great feature! I'll be looking forward to it. > >* continue specifying the protocol at a deeper level, like you promised > > (and throw in source for security-critical modules too, eh? :-) > > Writing all this down takes time. DigiCash may hire a tech writer soon. That > should improve communications between all parties. Excellent! Thanks for all you're doing to improve Digicash's anonymity, privacy, and security features, Lucky. I think it's really important to get this right in the pioneering work...