On the internet, there is only Alice

Everyone who works long enough in the field of cryptography knows about Alice and Bob: They know each other, go their separate ways and – always – are in dire need of private communication. Eve is listening in on every message and Mallory actively tries to trick them into believing her words are genuine. Then the authors of the paper explain their cryptographic protocol that makes Alice and Bob safe again.

Classic Cryptography

The use cases for cryptography have almost always been royalty, military, business and lovers. What they have in common is that all participants already know each other, get separated and are in dire need of private communication. So before the mission, they get together to agree on a protocol and key. Then they hire couriers to transport their encrypted messages.

This is what I call Classic Cryptography.

On the internet, there is only Alice

On the internet, the situation is radically different. There are a few well known parties and there are many strangers who want to communicate securely with some of the well knowns.

Take banking, for example. There are a few banks and a lot of potential customers. Suppose I want to open an account at a bank of my choice. My needs are:

  1. I need to connect to the correct servers (authentication), not that of criminals, or worse, a different bank pretending to be my choice;

  2. I need the link to be private (secrecy) to safely transmit a copy of my passport to the bank without third parties to copy it;

The bank has these needs:

  1. The bank need to be able to recognize (authenticate) me at recurring visits. Without this recognition, I remain a stranger to the bank and the bank can’t accept my transactions;

  2. No one should not be able to impersonate any customer.

It should be clear that classic cryptography doesn’t work here anymore. It would mean that to open an account I visit a branch office of the bank in person. We then agree on a protocol and some keys and we get separate again.

What about a blog site?

Suppose I stumble upon an interesting blog site. I read a while and then I feel a need to write the blogger in private. The same asymmetric requirements show up: I need to connect to the correct server and I want the connection to be secure against eavesdropping and tampering.

The blogger and I need to be able to recognize each other later in the conversation. Otherwise, we wouldn’t know for sure if a message was part of the conversation or inserted by Mallory.

There is a third requirement: I want to remain pseudonymous, the blogger only knows me by a self-chosen identity. And I use that identity only to connect to the blogger, I don’t share identities.

Again, classic crypto doesn’t help me.

What about a whistleblower?

Suppose I had to blow a whistle on some secret government program gone haywire. I’d search for a trustworthy journalist at a respectable newspaper. The journalist is well known and I’m the stranger and I would like to keep it that way for everyone, including the journalist.

The requirements are the same again, I need to be able to authenticate the journalist before I send my first document. I want to do so without the journalist knowing my true identity, my chosen pseudonym ‘Deep Throat’ suffices.

There is a fourth requirement: I don’t want the government to track me while sending the documents so I want to transmit all communication via Tor.

Fifth requirement: The journalist doesn’t know how any of that techno-stuff works so it must work out of the box without brainpower from either party.

It’s clear that classic cryptography doesn’t fit the bill.

Eccentric Authentication to the rescue

What these cases have in common is that there is a well known party (Alice) and there are strangers who want to open a secure channel.

Both parties need to authenticate the other at later visits, while in two of these cases, the stranger wants to remain anonymous.

Eccentric Authentication is my protocol that allows strangers to contact well known parties, secure all their communication, mutually authenticate and remain anonymous and untraceable if they wish. This site is dedicated to the protocol.

Happy reading.