spam and crypto (was: Re: what is killing PKI?)
mailinglisten at hauke-laging.de
Fri Oct 5 03:55:24 CEST 2012
Am Fr 05.10.2012, 02:00:36 schrieb MFPA:
> Anyway, I would anticipate spam volumes to be lower if all messages
> were encrypted. Would the spammers invest the cpu cycles to encrypt
> their messages to each and every recipient?
They don't have to. They don't even have others to spend this CPU time. The
point is that a spammer would not encrypt to protect the contained information
but because he is required to adhere to the format rules of encrypted messages
in order to get his mails read.
So the CPU effizient spammer
1) encrypts all messages with the same session key. This forces him to send
identical messages but that is hardly a problem. This frees the spammer from
doing the symmetric encryption of the message but still causes that CPU load
of asymmetrically encrypting the session key to each of the recipient keys.
2) stores the "encrypted session key" packet for each recipient so he can send
other spam messages without per-recipient CPU consumption
3) if we try to detect spam by detecting reused session keys (by e.g. storing
the hashed of all session keys) then the spammer can still save a lot of CPU
power by not using the same but just similar session keys, differing just in
the last byte. If I understand asymmetric encryption correctly then most of
the encryption effort could be shared then between the keys. The spammer would
have to transmit the encrypted session key block along with the recipient
email address. That is a multiple of the data amount of just the addresses but
still not much.
And if we go even further and check not just for equal but for similar session
keys then the spammer still has the possibility to better use his resources by
preparing session keys and encrypted sesseion keys packets for future.
IMHO the solution of spam is not encryption but signatures. The better
solutions are not even crypto related. If the US and EU governments started
treating foreign spammers the same way like "terrorists" we would soon see no
more spam. A less violent option is the creation of a second email
infrastructure. Make (by law) certain addresses (subdomains) accessible only
by ISPs who fight spam (e.g. have to pay for spam from them). Then anyone can
decide whether and how many email accounts he wants to have in the "Do what
you like, get what you don't like" and the clean mail nets. Done (with small
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 555 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users