It’s difficult to exchange public keys easily and
correctly between strangers who have never met before.
But once they have done so, there is no way to stop them from communicating any more.
Eccentric Authentication focuses on getting that first key exchanged.
Eccentric Authentication is an authentication protocol that places end
user anonymity, privacy and ease of use above other requirements. The
user comes first, the web sites come second. The spies can go home.
It is designed to let people create accounts at web site while staying
anonymous. The accounts are created with anonymous cryptographic
identities. All the crypto-details are handled by a user agent, taking
care of the details. It makes creating an account as easy as pressing
a button. No more hassles with passwords nor email messages with
activation links.
The users stay anonymous until they decide to reveal their
identity. Even the web site will not learn the true identities. Nor
will anyone else when proper traffic analysis protection it used. (Tor, I2P).
Secure names
Hidden in the account management are the public and private
keys. These can be used to encrypt and sign messages between users of
a site, or even between users of different sites. This can form the
basis of a secure email replacement, making phishing even more a thing
of the past. Because of the validation service, users can learn of
other users identities by nickname and lookup the public keys. This
makes world wide names secure.
Always encrypted
As this protocol deploys https-connections everywhere, it protects the
users against passive eavesdropping and active manipulations such as
Phorm, DPI.
End phishing
With the use of DNSSEC and a validation service to check that each
certificate is issued only once we can prevent Man-in-the-Middle
attacks and phishing. Even if the user falls for a bank-phishing scam,
his/her computer knows better and won’t let the user connect. If the
user would persist, bypass all protections and log in at the phishers
fake bank site, the real bank site would detect it when the phishers
impersonate the user and block the account.
Safe javascript apps
With some changes in the browsers’ Same Origin Policy, it can use the
Eccentric Authenetication to prevent XSS and CSRF attacks. That opens
the way for secure javascript applications, such as CryptoCat, Crypho
or other activists tools.
Good for/with Tor
Secondary benefits: Due to the pervasive use of encryption, Tor users
benefit in two ways: The use of Tor does not stand out between the
other traffic that uses this protocol. This makes it easier to hide
your Tor use. Secondly, when running eccentric authenticated
connections over Tor, the end-to-end connection is encrypted, solving
the evil-exit-node vulnerability of Tor.
Please see the Design Goals for more details and use cases.
With regards,
Guido Witmond
Witmond Secure Software
inventor of Eccentric Authentication