RPOW - Reusable Proofs of Work 191
mitd writes "Hal Finney is inviting folks to test drive his new hashcash-based server rpow.net.
" The RPOW system provides for proof of work (POW) tokens to be reused. A POW token is something that takes a relatively long time to compute but which can be checked quickly."
Hal's security model paper is well worth the read and his proof of concept code is available for download.
"
Umm (Score:4, Insightful)
Re:Umm (Score:4, Informative)
Re:Umm (Score:2)
If RPOW is trying to slow down spammers, it won't work as it has been already told thousands of times: Windows 0wned machines computing hashes like a cluster...
Re:Umm (Score:4, Informative)
Re:Umm (Score:2)
If only that were true. Currently, despite thousands of Windows machines being used for sendign spam at any given time, in fact only a small part of the compromised machines is actually being used.
A thousandfold slowdown of the rate of sending just means a larger part of all those zombies will be used to get the job done. The factor you ta
Re:Umm (Score:3, Informative)
Then you just have to increase the cost. In a way, it's a very free-market system: people keep on getting spam, and thus upping the cost of sending it to them. Eventually, a balance is found between the amount of spam you have to put up with and the amount of legitimat
Re:Umm (Score:2)
They don't need to. If you're a spammer you just use spyware or worms to look for email + private key combinations, and then sell them by the millions on CD.
(All it takes to get around a passphrase protecting the private key is a keylogger.)
Re:Umm (Score:2)
Then you simply kick their status back to untrusted until they change their key, forcing them to pay the hash. This could even be done automagically by a Bayesian filter - if a given key is associated with enough non-spam messages, make it trusted, if it starts spamming you, make it untrusted.
Such a CD would become worthless very quickly.
Re:Umm (Score:2)
Re:Umm (Score:2)
Re:Umm (Score:2)
Re:Umm (Score:2)
Re:Umm (Score:2)
Re:Umm (Score:5, Informative)
Re:Umm (Score:3, Insightful)
Re:Umm (Score:2)
Don't get me wrong, I think something like this might put the squeeze on those with smaller zombie nets, but in general I think the blackhat community would be able to cope.
Re:Umm (Score:2)
Re:Umm (Score:3, Insightful)
That's why you'll use HTTP 1.1. It lets you request more than one item without closing connection inbetween (the so-called "keepalive" option in the HTTP reque
Re:Umm (Score:2)
Re:Umm (Score:5, Informative)
Here's how I understand it:
Imagine you have to do a research paper. Though it takes a long time to write this research paper, what you turn in to your professor is (relatively) quickly checked. The paper itself is like a POW token -- It proves that you did the work without you having to redo the work while the teacher is watching.
-nova20
Re:Umm (Score:2, Funny)
So in other words we'll have a site in a couple years that has a bunch of POW tokens we can download, change the name, and turn it in as our own? (:
Re:Umm (Score:4, Insightful)
Reusable Tokens (Score:3, Interesting)
Re:Reusable Tokens (Score:2, Insightful)
Re:Umm (Score:2)
Huh? (Score:1)
What does this server "serve" exactly?
I'm not sure submitters know quite what "article summary" means.
Isn't it obvious? (Score:5, Informative)
But seriously, the server went down after two replies, but not before I managed to get this:
[Read this instead adding a load to a battered server]
and this
Re:Isn't it obvious? (Score:1)
And a few mentions of what it "could" be used for, but of course it wont be.
So basically we have another neat solution out in search of a problem. That explains the lack of any "what the fuck is it?" verbage in the article summary. It really isn't anything.
Re:Huh? (Score:1)
The link to the email? Ok, he has a box with some fancy IBM crypto co-proc in it. That clears things up.
Or his actual server, the one that's completely inaccessable?
20 bucks says the article submitter doesn't even know what this is. He just came across it and figured "bet thats tech sounding enough to get me some slashdot karma".
What problem does this solve? Spam? Hacking? Windows vulnerabilities? Will this put Linux on the desktop? Does this even have anything to do with linux?
More info on Hal can be found.... (Score:2, Funny)
Re: RPOW - Reusable Proofs of Work (Score:5, Funny)
"I'm sorry Dave, but I can't let you download that..."
Verify (Score:2)
I need some ubergeek translation on this one. Is this a complicated, better method for verifying against known published source code?
Davak
Re:Verify (Score:5, Interesting)
However this probably doesn't work [cam.ac.uk] (PDF) [or as html [66.102.9.104]].
Background (from that paper):
Re:Verify (Score:2)
That paper makes a couple glaring errors that significantly reduce my confidence in their results. The first is that it ignores whitelist systems that allow mailing lists to continue to function without needing to pay the price that spammers do: instead, they analyze only the trivial case where every email that is sent has a fixed cost to send. The second is that they assume that such a system has to be guaranteed to eliminate spam, while simply reducing it would be acc
Re:Verify (Score:2)
Assuming that a hash-cash or other POW system is only useful if, working alone, it reduces the spam in your inbox from ~50% to ~0.1%, that the average machine sends 75 legitimate unsolicited mails (that is, non-spam mails to people outside your orga
Re:Verify (Score:2)
Translation - Ignoring actual content, mailing lists look very much like spam, and approaches to spam that make sending email "expensive" would also impact mailing lists.
Others have mentioned whitelisting, but I'll take the (IMO) bolder step of saying "Too Damn Bad". If it means I won't get a f
/.ed (Score:5, Funny)
Re:/.ed (Score:2)
Re:/.ed (Score:2)
Re:/.ed (Score:2)
But x in NP and x not in P works...
well.
that was pedantic.
Proofs Of Work are few and far between (Score:4, Funny)
Cache (Score:5, Informative)
Re:Cache? (Score:2)
Shouldn't that be Google Cache after POWing?. Hey, couldn't resist after seing the acronym POW (Piece of Work) on the website once too often.
Come to think of it, this could turn into a new saying. "You're a real POW aren't you?"
Obligatory Pun (Score:4, Funny)
RPOW/rMIA (break out the black flags w/web server silhouette)...
Re:Obligatory Pun (Score:4, Funny)
Re:Obligatory Pun (Score:2)
Anon posting, ARTICLE TEXT (Score:3, Informative)
by Hal Finney
(hal at finney dot org)
What Is This? Theory Security Try It Out! FAQs Download
The RPOW system provides for proof of work (POW) tokens to be reused. A POW token is something that takes a relatively long time to compute but which can be checked quickly. RPOW uses hashcash, which are values whose SHA-1 hashes have many high bits of zeros.
Normally POW tokens can't be reused because that would allow them to be double-spent. But RPOW allows for a limited form of reuse: sequential reuse. This lets a POW token be used once, then exchanged for a new one, which can again be used once, then once more exchanged, etc. This approach makes POW tokens more practical for many purposes and allows the effective cost of a POW token to be raised while still allowing systems to use them effectively.
Security
This is useful functionality, but the unique feature of the RPOW system is its approach to security. RPOW is the first public implementation of a server designed to allow users throughout the world to verify its correctness and integrity in real time.
Based on principles similar to those proposed for so-called "Trusted Computing", RPOW allows third parties to dynamically and remotely verify what program is running on the RPOW server. The RPOW server is implemented on a high-quality secure processor, the IBM 4758 PCI Cryptographic Coprocessor, which has been validated to the highest level of security publicly available, FIPS-140 level 4. The 4758 is a self-contained single-board computer which has its own device key, generated on-board, which never leaves the card. That key can issue cryptographically signed attestations which describe the software configuration running on the card, including the SHA-1 hash of the application program.
The source code to the RPOW server is available from the download page. Using publicly available tools, anyone can build from this source code a memory image identical to that running on the RPOW server. If the SHA-1 hash of this file matches that being reported by the 4758 device key, the user can conclude that the supplied source code is what is actually running on the 4758. By inspecting the source code he can then make sure there are no "back doors" or loopholes that would allow the owner/operator or designer of the system to defeat its security, for example by creating RPOW tokens without doing the required work.
Allowing clients to dynamically validate the security of a server turns the concept of Trusted Computing on its head. Rather than a threat to individual privacy, the technology becomes a boon to privacy and an empowering force for end users on the net.
Applications
Security researcher Nick Szabo has coined the term bit gold for information objects which are provably costly to create. He suggests that these could even serve as the foundation for a sort of payment system, playing the role in the informational world of gold in the physical world. RPOW would facilitate the use of POW tokens as a form of bit gold by allowing the tokens to be passed and exchanged from person to person.
POW tokens have been proposed as a form of pseudo-payment in several applications. One example is email. An email message containing a POW token would be relatively costly to send in terms of computing power. A POW token could then be a sign that the message was not spam.
Using RPOW tokens for email would have advantages, as people could then reuse tokens from incoming email in outgoing email. Spammers will have no such advantages since almost all of their email is outgoing. Reuse allows the cost of the POW token to be much higher since most people won't have to generate them, making the system more effective as an anti spam measure.
Transparent Servers
The RPOW system is just the first of what are planned as a series of systems which use this approach, which I call Transparent Servers. Such systems publish their source code for review and inspection, and use Trus
Fragile Mirror (Score:1)
FAQ and "What is this?" links also included...
Mirror of article/download (Score:2)
NOTE: Only the source code is mirrored, site is way too slow to mirror the rest!
Re:Mirror of article/download (Score:2)
The file is downloading as I type this, hopefully it will finish so I can mirror it.
Defeating the purpose? (Score:2, Insightful)
Easier Explanation of RPOW & RPOW Uses (Score:4, Interesting)
It's not clear to me that there is an obvious and immediate equivalent for RPOWs in existence. I'd be interested in hearing what people think this would be good for. It generally seems useful for making sure people do x amount of work before they are allowed to perform a task, but what can that be used for?
---------------------
Freedom or Evil: Freevil.net [freevil.net]
G. W. Bush says, "You decide!"
equivalent for RPOWs in existence (Score:3, Insightful)
Goods. Like a car.
Trust. Extremely difficult to make, easy to verify.
Re:Easier Explanation of RPOW & RPOW Uses (Score:2)
Proof-of-work tokens as an anti-spam measure? (Score:5, Interesting)
An interesting scheme...
One potential problem I see with such an anti-spam measure is that I keep hearing about spam runs being done from many regular users' computers by means of a spamming worm infrection. Such a worm could also be adapted to generate the POW tokens... or even steal them from the users' incoming email and re-use them under this scheme! That'll be just great, having your computer not only hijacked to send out spam, but loaded down with the heavy burden of generating POW tokens.
Re:Proof-of-work tokens as an anti-spam measure? (Score:2, Informative)
Re:Proof-of-work tokens as an anti-spam measure? (Score:2)
Re:Proof-of-work tokens as an anti-spam measure? (Score:2)
Someone even wrote a virus that would install Seti@Home on zombie computers that would run the CLI version in the background and upload workunits to be credited to whoever the hijacker designated. If the zombie owner never checked his background tasks, he probably just thought his ISP wa
Re:Proof-of-work tokens as an anti-spam measure? (Score:2)
No, not really. Generally these schemes involve the token being in some way tied to the specific message. A hash containing the to and from addresses for instance.
Re:Proof-of-work tokens as an anti-spam measure? (Score:3, Informative)
Why isn't PGP/GPG setup and configured on installation of all OSS mail readers?
Re:Proof-of-work tokens as an anti-spam measure? (Score:2)
Yep, but that doesn't work if you want to make the POWs reusable.
Re:Proof-of-work tokens as an anti-spam measure? (Score:2)
Suppose I'm a spammer, I generate one token and use it to send out 1 million emails to hundreds of thousands of different servers. How do the recipient servers figure out that they're being duped?
With non-reusable POW it is simple. The recipient generates a challenge, and the sender calculates the response, which the recipient verifies. A given challenge is only used once, and the recipient can guarantee that by simply using a random number generator - no storage or commu
Re:Proof-of-work tokens as an anti-spam measure? (Score:4, Informative)
With hashcash, I take a datestamp, the recipient's address, and some garbage characters, and put them in an X-hashcash header as part of the email. The garbage characters have been precalculated to give some number of '0's at the front of an SHA1 hash of the header. It's computationally expensive to force those '0's, the more '0's, the higher the expense. (The hashcash site mentioned 4 hours to produce 32 '0's on his system.) But it's cheap to verify that those '0's are there in the hash of the header. That's what makes the system work.
There is no challenge-response in hashcash. You publish a 'price', some number of hashcash '0's, to receive email. If the email is in you whitelist (and presumably has a good SPF) call it good. Call other mail without an X-hashcash header spam. You can then validate the X-hashcash headers on your system. Valid headers are stored, and since they contain a datestamp in cleartext, you can purge them after some interval. Note that you only store valid headers, and only for a limited time, so the database doesn't grow forever.
Hashcash requires no central server or database.
RPOW works off of hashcash. You make a hashcash 'stamp' and trade it in for a RPOW token. Since the RPOW lets that original computational effort be reused, it lets you up the 'price'. ie - require more '0's in the hash.
I haven't read the documentation thoroughly, but I suspect that RPOW is validated at the server, not by challenge/response. But remember that each RPOW ticket is used only once, and once shown secure, there wouldn't be a lot of attempts at spoofing. So the traffic volume (and server requirements) should remain reasonable. In other words, the server traffic would be related to the level of legitimate email, not the level of spam. Oh, when you check the RPOW with the server, it hands back a new RPOW that you can use to send email. As far as I can tell, there is no theoretical (only practical) lifetime limit to the tokens.
I'm less enthusiastic about RPOW than hashcash, simply because of the central server requirement. I also wonder/fear about the feasibility of building an SHA1 engine out of FPGAs that could precalculate stamps faster than any regular PC, and then distribute them to spambots for mailing.
Re:Proof-of-work tokens as an anti-spam measure? (Score:2)
Uhhhhhh... (Score:1)
Sure, if by "test drive" you mean
Trusted computing? I think not. (Score:2)
Re:Trusted computing? I think not. (Score:2, Informative)
IBM releases the public key that corresponds to a private key stored on the card, the so called device key. The usual encode message with pub key, give to device, get decoded message back. Nothing will be able to perform this validation without the private key.
The only snag in this is if the hardware can be fooled with to extract the key, and though I really dont know anything about hacking hardare, I can't imagine that a high level security validation is given to a piece of hardware that easily give
dude, that's so excellent...who's hungry? (Score:3, Funny)
And although the process of exchanging "toke'ns" was highly "cryptographic", ultimately not a lot of work got done...
Anyway, I got confused there for a minute, but I am better now. This might help others:
From http://www.hashcash.org/ [hashcash.org]
Rock on!Zombie farms (Score:5, Interesting)
a) to be useful for anything involving third parties where you don't already have a trust relationship, this would need to be common/easy enough to get that other people already have software to support these things. That's not going to happen any time soon - it's a big enough change you may as well come up with an already secure email infrastructure [insert boilerplate "why your solution to spam is stupid" here].
b) 8 tokens per second? Puhleaze. I get that many emails through just one small server with 5 domains on it.
c) as the subject says. Zombies. In a world where thousands of low TC0 machines are sitting around running malware, it's piss-easy for the blackhat spammers to collect their 8 tokens/second by running POWer@home on their zombie farm.
BZZZZt. Strike three and you're out. Nice idea, but not practical.
Calibration issues (Score:4, Insightful)
Re:Calibration issues (Score:2)
-
What i dont understand about hashcash? (Score:2)
to *every* mail that goes out, which would be wildly different for each mail beacuse the email address would change.
Same concept, but would work with current mail clients/servers and could tell the server/mail client at the other end that the server really wants you to get this..
Anyone know why this wouldn't work?
Re:What i dont understand about hashcash? (Score:2)
It's a one way proof of work, not bi-directional make-work. What do you think this is, a government job?
Re:What i dont understand about hashcash? (Score:2)
target: "18102004-foo@bar.com"
sha1(target string): "a766a602b65cffe773bcf25826b322b3d01b1a97"
(clie n t works trying to break the hash)
solution: "2684ef53"
sha1(solution): "a766a60e3e3b4b7f53fe376224c08e47e959b2bc"
so the client has a 28-bit hash collision (a fair
Keeping honest folks honest (Score:3, Funny)
Since its based on working your computers resources perhaps other names could possibly be "RPOW by Jake"? Or "RPOW's of steel"?
Seriously, what happens next year when its not computationally expensive to compute the tokens? Ew, or what if you are a clever spammer with a degree in electrical engineering and the time to make your own token generating card to sell to all the other spammers on ebay for a small fortune (or you could prove it works by spamming them with advertisements...)?
Well, its always good to have another device to keep honest folks honest I guess.
Simple summary and questions (Score:2)
Here's the question for those who know more, i.e., anyone who knows anything about this. Won't this necessarily and dramatically increase request time? It should impose no (significant) additional load on the server, but won't this mean that requests take x*response time to begin?
Re:Simple summary and questions (Score:2)
Re:Simple summary and questions (Score:2)
Russian Black Market (Score:2, Informative)
Re:Russian Black Market (Score:2)
Let's make it do something useful (Score:3, Insightful)
Bert
Spammers don't send their spam (Score:5, Informative)
All this means is that, as well as the net connection being slow, the processor will be running overtime calculating the checksums. The spammers will send as many emails as ever.
SPF has to be one of the easiest measures we can take to reduce spam. Spamassassin is about to hit 3.0 RC1 and many more of us will be able to easily associate scores with SPF records. As soon as mail has to originate from the correct domain we get better spam checking and a paper trail for the authorities to follow. If you don't have SPF records for your domain, head on over here [pobox.com] or here [infinitepenguins.net] and set them up.
Re:Spammers don't send their spam (Score:2)
Yeah, except that it was never intended for that purpose, and doesn't have any features to do anything to prevent spam. But other than those two minor points, it's perfect.
Re:Spammers don't send their spam (Score:3, Insightful)
Wrong. The processor will certainlty be bogged down generating tokens, but the net connection will be wide open if it can only generate one token and send one spam every 4 or 5 minutes.
And no, even 10 minutes wouldn't be a problem for normal email users. The very first time you launch your mail program it can start generating a t
Re:Spammers don't send their spam (Score:2)
Now, I send mail to LKML. The protocol can work one of two ways: 1) use my token in the 50,000 messages taht are sent out 2) generate its own token for all 50,000 messages 3) generate a unique token for each of 50,000 messages.
Plan 1 is abusable thusly: a) spammer has "token machine" which generates the spam b) spammer has "mailing list" machine which disperses the mail to thousands of hapless end-users.
Plan 2 is
Re:Spammers don't send their spam (Score:2)
Any non-moderated list like that is going to be tough to secure.
The protocol can work one of two ways: 1) 2) 3)
Two ways, 123? Chuckle.
Actually 4) anyone who signs up for a mailing list should be white-filtering it. No need for 50,000 tokens. And when someone signs up for such a list you request a really expensive token. Maybe someone even needs to leave their computer running overnight to sign up.
Someone can still attack the list with a number of machines, but you always has that risk. A
I have a better idea (Score:2)
Reusable Proof of (Busy) Work (Score:2)
How about if:
They team up with SETI@home, folding@home, and the like. When you turn in a work unit, they have a secure arrangement with some sort of postage stamp server, and you get sent the stamp. This only makes sense with a central st
What about server problems/attacks (Score:3, Informative)
The RPOW server is running on a high-security processor card, the IBM 4758 Secure Cryptographic Coprocessor, validated to FIPS-140 level 4.
So, in other words, it passes out little tokens that are worth something
Ok, so its running FIPS-certified code on FIPS-certified hardware. Still, how sure can you be that it will keep running 24/365 for years on end? If that private key is needed for proof of authenticity, and that key never leaves the board, that makes it, among other things, one heckuva terrorist target.
Re:What about server problems/attacks (Score:3, Insightful)
Re:Huh? (Score:3, Informative)
form the website:
"Using RPOW tokens for email would have advantages, as people could then reuse tokens from incoming email in outgoing email. Spammers w
Re:Huh? (Score:2)
The spammer could send as many as he wished, but they'd get caught up in the server, giving the same effect as a POW system but without the possibility of cracking.
Of course the spammers could set up their own little server, but that'd be DoSable/Legally Take Down-able.
Re:Huh? (Score:2, Insightful)
Surely noone would be smart enough to open the sendmail sourcecode and comment out the wait() lines.
All these schemes that rely on your computer "wasting time" to stop spam are silly.
I know, we can stop the spread of warez by making all file serving protocols automagically cap themselves at 2kbit or so. HTTP, FTP, P2P apps.. It's an awesome plan!
Wait I got a better one! We all go back to 300 baud dial-up modems. The ones you
Re:Huh? (Score:2)
Re:Huh? (Score:4, Informative)
Yes, I know that I shouldn't post replies like this, but this is getting annoying. Quite a few people have posted explanations about what this technology could be useful for. Make an effort to understand it, instead of continuing to post "I don't understand" comments.
You said: "Noone's going to install dedicated IBM crypto hardware in their mailservers. No company is going to invest big bucks in a mailserver just so it can run 100% CPU utilization all the time for no good reason. That costs actual real world money, and continues to cost in power usage."
That's absolutely right, and that's the whole POINT of POW tokens. If you are going to send one or two emails, it won't bother you all that much that your computer has to perform a few seconds of computation before your email gets accepted. If you are a spammer and you want to send a MILLION emails, then your computer would have to perform a few million seconds of computation, which would either slow you down tremendously OR force you to pay real money to buy lots of fast computers and power them.
The problem with the CURRENT model of email is that the sender does not have to pay anything to send spam, so they can send millions of them, and it's still worthwhile if they get one reply in ten thousand attempts. But if they had to pay something to send each spam, they would send less.
Junk snail mail senders have to pay for postage, and so, even though they may be annoying, they are not the same kind of problem as spammers are. They tend to send out flyers only for things that they expect to get SOME response for.
You also said "So spammers spam each other (or themselves from a different host) and have an endless supply of RPOW tokens." Again, you've missed the point. If they spam each other, then yes, the recipient now has the ability to send out the same amount of spam, but the sender has used up his tokens by transferring them to the sender. No new POW tokens are created by this process. If I give you $10 and you give me $10, we're NOT both $10 dollars richer -- what I gave you, I no longer have. And if we pass the $10 bill back and forth 100 times, we haven't somehow created $1000 for each of us to spend; we still have the same amount of money that we started with.
And your point about us not wanting secure hardware on our machines is irrelevant. Nothing in this idea implies that you should have secure hardware on your machine. It can all be done in software, open source software (or any other kind).
Re:Huh? (Score:2)
Unless spammers are selling to each other, this wouldn't help them any. Think of it like conservation of energy. Calculating a POW is like generating energy. Spamming someone requires energy. Spamming yourself just moves energy from one place to another. In the end, you still need to calculate the same number of POWs to spam a set of people.
Re:Huh? (Score:2)
Re:Out of Curiousity ... (Score:2, Informative)
In the region of $2000-3000 when they were still being produced. I've seen them for sale for $800 or so more recently. So not that much for any kind of org.
Re:But if they are reusable, ... (Score:2, Insightful)
Re:Are these things cheap? (Score:2)