Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Encryption Security

RPOW - Reusable Proofs of Work 191

Posted by CmdrTaco
from the interesting-projects dept.
mitd writes "Hal Finney is inviting folks to test drive his new hashcash-based server rpow.net. " The RPOW system provides for proof of work (POW) tokens to be reused. A POW token is something that takes a relatively long time to compute but which can be checked quickly." Hal's security model paper is well worth the read and his proof of concept code is available for download. "
This discussion has been archived. No new comments can be posted.

RPOW - Reusable Proofs of Work

Comments Filter:
  • Umm (Score:4, Insightful)

    by Anonymous Coward on Wednesday August 18, 2004 @10:12AM (#10001783)
    Can someone explain the concept behind this in a little uhh easier terms. I read parts on the website, but I think I need a bit of background before I can really understand what is going on. Thanks
    • Re:Umm (Score:4, Informative)

      by Anonymous Coward on Wednesday August 18, 2004 @10:16AM (#10001854)
      Spammers send millions of email a second, imagine if for every email they had to do some sums that took 2 seconds, before the server would accept the email...suddenly the rate of emails per second falls.....
      • by nkh (750837)
        Does that mean that legitimate mailing-lists servers will have to wait 2 seconds for each e-mails they send? I read a few of these lists and I'm sure there are other solutions to solve spam problems, like killing SMTP once and for all.

        If RPOW is trying to slow down spammers, it won't work as it has been already told thousands of times: Windows 0wned machines computing hashes like a cluster...
        • Re:Umm (Score:4, Informative)

          by aardvarkjoe (156801) on Wednesday August 18, 2004 @11:16AM (#10002651)
          Does that mean that legitimate mailing-lists servers will have to wait 2 seconds for each e-mails they send?
          This comes up every single time that someone talks about technical means of stopping spam. And every time, we have to remind you that whitelists can solve the problem trivially. (In this case, you have a system where the receiver [you] accept mail without proof of work from mailing lists.)

          Windows 0wned machines computing hashes like a cluster...
          Right now, cracked boxes are used for sending spam. If you slow down the rate that it's possible to send spam by 1000, then you get a thousandfold decrease in spam.
          • > Right now, cracked boxes are used for sending spam. If you slow down the rate that it's possible to send spam by 1000, then you get a thousandfold decrease in spam.

            If only that were true. Currently, despite thousands of Windows machines being used for sendign spam at any given time, in fact only a small part of the compromised machines is actually being used.

            A thousandfold slowdown of the rate of sending just means a larger part of all those zombies will be used to get the job done. The factor you ta
            • Re:Umm (Score:3, Informative)

              by ultranova (717540)

              A thousandfold slowdown of the rate of sending just means a larger part of all those zombies will be used to get the job done. The factor you talk about is very easy to manage considering the total number of compromised machines out there.

              Then you just have to increase the cost. In a way, it's a very free-market system: people keep on getting spam, and thus upping the cost of sending it to them. Eventually, a balance is found between the amount of spam you have to put up with and the amount of legitimat

              • by JamieF (16832)
                >you typically only need to pay the hashing cost once, unless of course you are a spammer (in which case people will not mark you as trusted).

                They don't need to. If you're a spammer you just use spyware or worms to look for email + private key combinations, and then sell them by the millions on CD.

                (All it takes to get around a passphrase protecting the private key is a keylogger.)
                • They don't need to. If you're a spammer you just use spyware or worms to look for email + private key combinations, and then sell them by the millions on CD.

                  Then you simply kick their status back to untrusted until they change their key, forcing them to pay the hash. This could even be done automagically by a Bayesian filter - if a given key is associated with enough non-spam messages, make it trusted, if it starts spamming you, make it untrusted.

                  Such a CD would become worthless very quickly.

                  (All

          • And every time, we have to remind you that whitelists are easily occupied by zombied machines, especially for the big email providers like Hotmail, AOL, Earthlink, big universities, etc. Expect a temporary halt at best, and lots of your friends and relatives and business partners telling you to go blow yourself for insisting on a challenge-response system. That's what the "hashcash" system is under the hood.
            • And every time, we have to remind you that whitelists are easily occupied by zombied machines, especially for the big email providers like Hotmail, AOL, Earthlink, big universities, etc.
              Uh ... do you even know what a whitelist is? Having a zombie machine doesn't do a spammer any good at all; one person isn't likely to be in the whitelist of more than a few dozen people.
              • Yes, I'm extremely familiar with whitelists and blacklists. You seem to think that the spammer in these zombied cases will use the zombied machine to send the email directly to the target. While this has often been true, the spread of techniques such as SPF (at http://spf.pobox.com) that create some level of domain authentication for the sender will cause the viruses and spam zombied machines to use the local SMTP servers for their domain. Next, the aol.com and hotmail.com zombied machines will find and go
                • "Doctor! It hurts when I do this!"

                  "Then don't do that."

                  What kind of idiot would design a whitelist that only works on a per-domain level? Nobody's going to whitelist "*@hotmail.com", that's just stupid. In fact, you wouldn't even want to whitelist your contacts; it's far better to only whitelist mailing lists.
      • by bo0ork (698470)
        Too bad there isn't more detail about a possible email implementation. Anyhow, I fail to see how this would stop spammers. They have hordes of luser machines to do the (R)POW work for them.
    • Re:Umm (Score:5, Informative)

      by baywulf (214371) on Wednesday August 18, 2004 @10:21AM (#10001921)
      It is essentially a computer algorithm that is time consuming to calculate but fast to verify. It can be used to mitigate denial of service attacks for example. When a connection is made, the server will make a challenge which the client must compute. The server can quickly verify the response and reject the client if it is wrong. The extra computation means the client cannot succeed in an attempt to connect without doing the challenge thus slowing them down.
      • Re:Umm (Score:3, Insightful)

        by MenTaLguY (5483)
        I don't really see how that helps much with distributed DOS attacks, which are the most common variety these days. The number of zombie machines involved is quite mind-boggling.
      • Why not just tell the client to sleep for (int(rand(10)) seconds? In any case: keep in mind that HTTP is stateless (since you mentioned DoS, I'll bring up HTTP, a common DoS target). Each web page you load initiates 10s of connections. Imagine having to wait a couple of seconds for each connection to go through. Suddenly, the 1.2sec it takes to load a page like /. now will take 30sec; probably worse than dialup. Now this doesn't seem to hot anymore, does it? If this (RPOW/HashCash) is a form of electronic
        • Re:Umm (Score:3, Insightful)

          by ultranova (717540)

          In any case: keep in mind that HTTP is stateless (since you mentioned DoS, I'll bring up HTTP, a common DoS target). Each web page you load initiates 10s of connections. Imagine having to wait a couple of seconds for each connection to go through. Suddenly, the 1.2sec it takes to load a page like /. now will take 30sec; probably worse than dialup.

          That's why you'll use HTTP 1.1. It lets you request more than one item without closing connection inbetween (the so-called "keepalive" option in the HTTP reque

    • Re:Umm (Score:5, Informative)

      by nova20 (524082) on Wednesday August 18, 2004 @10:26AM (#10001989) Homepage Journal
      Can someone explain the concept behind this in a little uhh easier terms.

      Here's how I understand it:

      Imagine you have to do a research paper. Though it takes a long time to write this research paper, what you turn in to your professor is (relatively) quickly checked. The paper itself is like a POW token -- It proves that you did the work without you having to redo the work while the teacher is watching.

      -nova20
      • Re:Umm (Score:2, Funny)

        by LoudMusic (199347)
        It proves that you did the work without you having to redo the work while the teacher is watching.

        So in other words we'll have a site in a couple years that has a bunch of POW tokens we can download, change the name, and turn it in as our own? (:
        • Re:Umm (Score:4, Insightful)

          by masoncooper (443243) on Wednesday August 18, 2004 @11:09AM (#10002555)
          I know you meant to be funny but in a sense, you're right. These reusable tokens can be, well, reused. So if someone were to send you an email with a token, you could use that token(or token based on the previous token) to send an email out without having to create a new token. Since spammers are primarily outbound senders they wouldn't accumulate the tokens that a normal corporation would with frequent two-way communication. In effect, this is a lot like currency.
          • Reusable Tokens (Score:3, Interesting)

            by cbr2702 (750255)
            If I recieve a token from someone else, can I copy it and attach it to multiple messages? If so, what's to stop spammers from calculating one token and attaching it to a large number of messages?
  • A hashcach POW token?

    What does this server "serve" exactly?

    I'm not sure submitters know quite what "article summary" means.
    • Isn't it obvious? (Score:5, Informative)

      by BubbaThePirate (805480) on Wednesday August 18, 2004 @10:21AM (#10001916)
      A POW token is something that takes a relatively long time to compute but which can be slashdotted quickly.

      But seriously, the server went down after two replies, but not before I managed to get this:

      [Read this instead adding a load to a battered server]

      "Overview

      The RPOW server is designed to provide security and reliability through an unprecedented degree of visibility and transparency in its operations. For the first time it will be possible for any user of the system, anywhere in the world, to know what code is running on the server and to inspect that code for loopholes or back doors. I have done my best to make this system secure even against my efforts as the owner, operator and designer of the system to compromise its operations. I welcome public scrutiny of the code and of the design.

      The RPOW system represents a new kind of security model, and is therefore unusually challenging to present and to review. RPOW combines an exceptional degree of physical security with an unprecedented level of transparency and visibility into the workings of the RPOW server. This combination implements the design goal of RPOW as a "Transparent Server", a system whose security properties can be analyzed and evaluated from any system on the internet.

      In operation, the RPOW system consists of three parts: the server, the host process, and the client library with its associated demo driver. We will consider each part in turn. "

      and this

      "RPOW FAQs

      Questions

      1. What is the RPOW system?
      2. How is RPOW pronounced?
      3. How do I know the RPOW system is secure?
      4. What is the difference between RPOW and Hashcash?
      5. What is the difference between RPOW and Ecash?
      6. What are some possible applications of the RPOW system?
      7. How fast is the server?
      8. If RPOW becomes popular, how could one server handle all the users?
      9. Won't Moore's Law mean that tokens lose their value over time?
      10. Why can't users pass RPOW tokens to each other without using a server?
      11. Won't the RPOW server run out of disk space if it keeps track of all tokens it has ever seen?
      12. Are you going to make changes to the RPOW system?
      13. Why did you choose the IBM4758 Secure Cryptographic Coprocessor as the platform for the RPOW server?
      14. Wasn't the IBM 4758 security broken a few years ago?

      Answers

      1. The RPOW system has three parts: client, host, and server. The client is a software library (plus a simple command-line driver for demonstration purposes) to allow generation and exchange of RPOW tokens. The host software runs on the PC which has the IBM 4758 cryptographic coprocessor card plugged into it. It acts as an intermediary, listening for connections from the net and passing data between client and server. It also assists the server with certain operations. The server runs on the IBM 4758 card and performs the secure cryptographic operations which implement the RPOW system.

      2. RPOW is pronounced are-pow.

      3. The security of the RPOW system ultimately depends on its design and its implementation. For the design, see the theory and security pages. For the implementation, see the source code available from the download page. The unique properties of the RPOW system design allow you to remotely verify that the program generated from the source code you download here is what is actually running on the RPOW server. If the design and implementation are sound, and that program is what is running on the server, you have a foundation for trust in the security of the system.

      4. RPOW uses hashcash for its proof of work (POW) tokens. Hashcash tokens are evidence that a certain substantial amount of computer effort was expended to create them. RPOW allows hashcash tokens to be exchanged for RPOW tokens of an equivalent value, which can then be further exchanged for new RPOW tokens. The effect is similar to being able to pass

      • So basically, this serves up encrypted blobs of crap that have no meaning other than you can assume the server spent a little time encrypting up the blobs of crap..

        And a few mentions of what it "could" be used for, but of course it wont be.

        So basically we have another neat solution out in search of a problem. That explains the lack of any "what the fuck is it?" verbage in the article summary. It really isn't anything.
  • There is some excellent info on Hal here [tripod.com], here [cnn.com] and here. [stat-junkie.com]
  • by Anonymous Coward on Wednesday August 18, 2004 @10:15AM (#10001839)
    Hal's security model paper is well worth the read and his proof of concept code is available for download.

    "I'm sorry Dave, but I can't let you download that..."
  • by Davak (526912)
    Whoa...

    I need some ubergeek translation on this one. Is this a complicated, better method for verifying against known published source code?

    Davak
    • Re:Verify (Score:5, Interesting)

      by 3-State Bit (225583) on Wednesday August 18, 2004 @10:34AM (#10002103)
      No, I don't think so. The idea of proving you've done some work is that you have made an investment and so are not doing 100,000 such investments per second.

      However this probably doesn't work [cam.ac.uk] (PDF) [or as html [66.102.9.104]].

      Background (from that paper):
      It is often suggested that unsolicited bulk email ("spam") is such a problem on the Internet because the current economic framework for email handling does little to discourage it. If only, it is suggested, the senders of email could be made to pay for their messages. Spammers would then cease their indiscriminate distribution of messages and email volumes would reduce as the senders targeted more carefully or just gave up altogether. Nevertheless, almost no one (other than those hoping for a handling fee) thinks that using actual money is a good way to achieve this economic utopia and even the holders of patents for "e-money" systems have failed to generate any significant enthusiasm for their wares.

      However, there is an alternative to real-world money, which was first proposed by Dwork and Naor in 1992 [8]. Their idea was to have the sender of an email perform a complex computation as evidence that they believe that an email is worth receiving. The sender then proves to the recipient that this processing work has been completed and the email will then be accepted. The processing time is "free", so there is a minimal burden upon legitimate senders, but it is a finite resource, so that the spammers will not have unlimited amounts of processing time at their disposal and so cannot continue to send in bulk.
      • However this probably doesn't work

        That paper makes a couple glaring errors that significantly reduce my confidence in their results. The first is that it ignores whitelist systems that allow mailing lists to continue to function without needing to pay the price that spammers do: instead, they analyze only the trivial case where every email that is sent has a fixed cost to send. The second is that they assume that such a system has to be guaranteed to eliminate spam, while simply reducing it would be acc

      • There's nothing wrong with making back-of-the-envelope computations with numbers you pretty much pulled from your ass. However, this paper violates the custom of using numbers and assumptions that err against the point you're trying to make, rather than for it.

        Assuming that a hash-cash or other POW system is only useful if, working alone, it reduces the spam in your inbox from ~50% to ~0.1%, that the average machine sends 75 legitimate unsolicited mails (that is, non-spam mails to people outside your orga
      • by pla (258480)
        Unfortunately, real-world data from a large ISP shows that these difficulty levels would mean that significant numbers of senders of legitimate email would be unable to continue their current levels of activity.

        Translation - Ignoring actual content, mailing lists look very much like spam, and approaches to spam that make sending email "expensive" would also impact mailing lists.

        Others have mentioned whitelisting, but I'll take the (IMO) bolder step of saying "Too Damn Bad". If it means I won't get a f
  • /.ed (Score:5, Funny)

    by Dibblah (645750) on Wednesday August 18, 2004 @10:15AM (#10001848)
    Okaaay... So it's a server that's *meant* to serve computationally expensive 'tokens'. And you post it on ./ . Niiice.
    • Yes, to *serve* the tokens. Not to compute the tokens- other people do that. It'll just give you work and check the incoming result, which is *not* computationally expensive.
  • by Anonymous Coward on Wednesday August 18, 2004 @10:16AM (#10001853)
    How about Proofs Of Not Working? Got plenty of those.
  • Cache (Score:5, Informative)

    by Klar (522420) * <curchin@gma[ ]com ['il.' in gap]> on Wednesday August 18, 2004 @10:17AM (#10001879) Homepage Journal
    Google Cache after slashdotting... http://www.google.ca/search?q=cache:YHGDB5MH4e0J:r pow.net/+&hl=en [google.ca]
    • Google Cache after slashdotting... http://www.google.ca/search?q=cache:YHGDB5MH4e0J:r pow.net/+&hl=en

      Shouldn't that be Google Cache after POWing?. Hey, couldn't resist after seing the acronym POW (Piece of Work) on the website once too often.

      Come to think of it, this could turn into a new saying. "You're a real POW aren't you?"
  • by grunt107 (739510) on Wednesday August 18, 2004 @10:18AM (#10001890)
    Given the inaccessibility of the site:
    RPOW/rMIA (break out the black flags w/web server silhouette)...
  • by Anonymous Coward on Wednesday August 18, 2004 @10:20AM (#10001907)
    Reusable Proofs of Work
    by Hal Finney
    (hal at finney dot org)
    What Is This? Theory Security Try It Out! FAQs Download

    The RPOW system provides for proof of work (POW) tokens to be reused. A POW token is something that takes a relatively long time to compute but which can be checked quickly. RPOW uses hashcash, which are values whose SHA-1 hashes have many high bits of zeros.

    Normally POW tokens can't be reused because that would allow them to be double-spent. But RPOW allows for a limited form of reuse: sequential reuse. This lets a POW token be used once, then exchanged for a new one, which can again be used once, then once more exchanged, etc. This approach makes POW tokens more practical for many purposes and allows the effective cost of a POW token to be raised while still allowing systems to use them effectively.
    Security

    This is useful functionality, but the unique feature of the RPOW system is its approach to security. RPOW is the first public implementation of a server designed to allow users throughout the world to verify its correctness and integrity in real time.

    Based on principles similar to those proposed for so-called "Trusted Computing", RPOW allows third parties to dynamically and remotely verify what program is running on the RPOW server. The RPOW server is implemented on a high-quality secure processor, the IBM 4758 PCI Cryptographic Coprocessor, which has been validated to the highest level of security publicly available, FIPS-140 level 4. The 4758 is a self-contained single-board computer which has its own device key, generated on-board, which never leaves the card. That key can issue cryptographically signed attestations which describe the software configuration running on the card, including the SHA-1 hash of the application program.

    The source code to the RPOW server is available from the download page. Using publicly available tools, anyone can build from this source code a memory image identical to that running on the RPOW server. If the SHA-1 hash of this file matches that being reported by the 4758 device key, the user can conclude that the supplied source code is what is actually running on the 4758. By inspecting the source code he can then make sure there are no "back doors" or loopholes that would allow the owner/operator or designer of the system to defeat its security, for example by creating RPOW tokens without doing the required work.

    Allowing clients to dynamically validate the security of a server turns the concept of Trusted Computing on its head. Rather than a threat to individual privacy, the technology becomes a boon to privacy and an empowering force for end users on the net.
    Applications

    Security researcher Nick Szabo has coined the term bit gold for information objects which are provably costly to create. He suggests that these could even serve as the foundation for a sort of payment system, playing the role in the informational world of gold in the physical world. RPOW would facilitate the use of POW tokens as a form of bit gold by allowing the tokens to be passed and exchanged from person to person.

    POW tokens have been proposed as a form of pseudo-payment in several applications. One example is email. An email message containing a POW token would be relatively costly to send in terms of computing power. A POW token could then be a sign that the message was not spam.

    Using RPOW tokens for email would have advantages, as people could then reuse tokens from incoming email in outgoing email. Spammers will have no such advantages since almost all of their email is outgoing. Reuse allows the cost of the POW token to be much higher since most people won't have to generate them, making the system more effective as an anti spam measure.
    Transparent Servers
    The RPOW system is just the first of what are planned as a series of systems which use this approach, which I call Transparent Servers. Such systems publish their source code for review and inspection, and use Trus
  • RPOW.net Home [truman.edu]

    FAQ and "What is this?" links also included...

  • HERE [hnsg.net].


    NOTE: Only the source code is mirrored, site is way too slow to mirror the rest!
  • by Anonymous Coward
    Doesn't this really defeat the purpose of computationally expensive tokens? Couldn't a hacker break into the cache and steal a large number of pre-calculated POW tokens which would otherwise be impossible?
  • by diagnosis (38691) on Wednesday August 18, 2004 @10:26AM (#10001992) Homepage
    From the web sites:

    The RPOW system provides for proof of work (POW) tokens to be reused. A POW token is something that takes a relatively long time to compute but which can be checked quickly. RPOW uses hashcash, which are values whose SHA-1 hashes have many high bits of zeros.

    Possible uses for RPOW include anti-spam tokens, "play money" for use in online games and fun bets, an aid to load balancing in P2P and file-exchange systems, and more. Any system which would benefit from a form of token which can be cheaply passed from user to user, but which is expensive to create, might want to look into RPOW.


    It's not clear to me that there is an obvious and immediate equivalent for RPOWs in existence. I'd be interested in hearing what people think this would be good for. It generally seems useful for making sure people do x amount of work before they are allowed to perform a task, but what can that be used for?

    ---------------------
    Freedom or Evil: Freevil.net [freevil.net]
    G. W. Bush says, "You decide!"
  • by JaredOfEuropa (526365) on Wednesday August 18, 2004 @10:28AM (#10002024) Journal
    For those asking what on earth (R)POW tokens are, here's one possible application (from rpow.com):
    POW tokens have been proposed as a form of pseudo-payment in several applications. One example is email. An email message containing a POW token would be relatively costly to send in terms of computing power. A POW token could then be a sign that the message was not spam.


    Using RPOW tokens for email would have advantages, as people could then reuse tokens from incoming email in outgoing email. Spammers will have no such advantages since almost all of their email is outgoing. Reuse allows the cost of the POW token to be much higher since most people won't have to generate them, making the system more effective as an anti spam measure.
    An interesting scheme...

    One potential problem I see with such an anti-spam measure is that I keep hearing about spam runs being done from many regular users' computers by means of a spamming worm infrection. Such a worm could also be adapted to generate the POW tokens... or even steal them from the users' incoming email and re-use them under this scheme! That'll be just great, having your computer not only hijacked to send out spam, but loaded down with the heavy burden of generating POW tokens.
    • Although if spammers did use zombied computers, maybe the owners of the infected PCs would know something was wrong when their computer was runnning so slow they couldn't do anything. Right now, these computers can send out tons of emails without significantly hitting its performance. This is key, because if the computer becomes unusable, it will soon not be available for spamming when the user takes it to the shop. Maybe the central server could even put a limit to new keys per hour per IP to limit RPOW
    • This reminds me of Seti@Home [berkeley.edu] workunits, each one takes several hours to generate and and then you send the results back to Berkeley where they have some magic to make sure you don't get credit for the same work twice.

      Someone even wrote a virus that would install Seti@Home on zombie computers that would run the CLI version in the background and upload workunits to be credited to whoever the hijacker designated. If the zombie owner never checked his background tasks, he probably just thought his ISP wa

  • "Hal Finney is inviting folks to test drive his new hashcash-based server rpow.net. "
    Sure, if by "test drive" you mean /.
  • Based on principles similar to those proposed for so-called "Trusted Computing", RPOW allows third parties to dynamically and remotely verify what program is running on the RPOW server. The RPOW server is implemented on a high-quality secure processor, the IBM 4758 PCI Cryptographic Coprocessor, which has been validated to the highest level of security publicly available, FIPS-140 level 4. The 4758 is a self-contained single-board computer which has its own device key, generated on-board, which never leave

    • Easy.

      IBM releases the public key that corresponds to a private key stored on the card, the so called device key. The usual encode message with pub key, give to device, get decoded message back. Nothing will be able to perform this validation without the private key.

      The only snag in this is if the hardware can be fooled with to extract the key, and though I really dont know anything about hacking hardare, I can't imagine that a high level security validation is given to a piece of hardware that easily give
  • by eufreka (793009) on Wednesday August 18, 2004 @10:36AM (#10002127)
    Until now, I always thought that "hashcash" was only related to Repeated Puffs of Weed (RPOWs).

    And although the process of exchanging "toke'ns" was highly "cryptographic", ultimately not a lot of work got done...

    Anyway, I got confused there for a minute, but I am better now. This might help others:

    From http://www.hashcash.org/ [hashcash.org]

    Hashcash is a denial-of-service counter measure tool. Its main current use is to help hashcash users avoid losing email due to content based and blacklist based anti-spam systems. A hashcash stamp constitutes a proof-of-work which takes a parameterizable amount of work to compute for the sender. The recipient can verify received hashcash stamps efficiently.
    Rock on!
  • Zombie farms (Score:5, Interesting)

    by Bronster (13157) <slashdot@brong.net> on Wednesday August 18, 2004 @10:36AM (#10002130) Homepage
    What a crock of a system. Let's see:

    a) to be useful for anything involving third parties where you don't already have a trust relationship, this would need to be common/easy enough to get that other people already have software to support these things. That's not going to happen any time soon - it's a big enough change you may as well come up with an already secure email infrastructure [insert boilerplate "why your solution to spam is stupid" here].

    b) 8 tokens per second? Puhleaze. I get that many emails through just one small server with 5 domains on it.

    c) as the subject says. Zombies. In a world where thousands of low TC0 machines are sitting around running malware, it's piss-easy for the blackhat spammers to collect their 8 tokens/second by running POWer@home on their zombie farm.

    BZZZZt. Strike three and you're out. Nice idea, but not practical.
  • Calibration issues (Score:4, Insightful)

    by markh1967 (315861) on Wednesday August 18, 2004 @10:39AM (#10002166)
    I'm not sure how well this technique would work in the real world when you have a huge range of systems trying to connect to you. If you set the number of bits in the token so a fast Pentium 4 based system will take two seconds to compute it how many hours would it take a 386, palm-pilot, or Internet enabled phone? Conversely, if you set the number of bits low so that slow systems can compute them in reasonable time then someone with a much faster computer will not be slowed by any noticeable rate and the system becomes useless. If this system is taken up surely it will do more to discriminate against people without state-of-the-art hardware. Surfing is annoying enough on a very slow machine without having to wait for 30 minutes to compute the RPOW before the site will let you connct.
    • That's exactlty what the reusable proof of work tokens are supposed to solve. Who cares if it takes you an hour make a token if is was generated three months ago while your (or someone else's) computer was pretty much idle while you sat there reading something on the screen? You can generate them in advance once, then pass them around. If it's used for email then every time you receive such an email you'd receive a token you can use on the next email you send.

      -
  • Why have the server send a challenge to sign at all? Surely the MUA (mail client) could just add an x-header-expensive-hash-of-this-mail

    to *every* mail that goes out, which would be wildly different for each mail beacuse the email address would change.

    Same concept, but would work with current mail clients/servers and could tell the server/mail client at the other end that the server really wants you to get this..

    Anyone know why this wouldn't work?
    • Because it would be computationally expensive to check the validity of the hash on the receiving end.

      It's a one way proof of work, not bi-directional make-work. What do you think this is, a government job? :D
      • There's an issue with including the hash of the document in the hash itself, but if you fix that it's only hard on the sending end. There's no need to use the entire message as the challenge, just concatenate today's date to the destination address:

        target: "18102004-foo@bar.com"
        sha1(target string): "a766a602b65cffe773bcf25826b322b3d01b1a97"
        (clie n t works trying to break the hash)
        solution: "2684ef53"
        sha1(solution): "a766a60e3e3b4b7f53fe376224c08e47e959b2bc"

        so the client has a 28-bit hash collision (a fair
  • by vile8 (796820) on Wednesday August 18, 2004 @10:49AM (#10002293) Homepage
    Great, I was just complaining the other day that my computer is a lazy, good for nothing document editor. Here I sit with 3ghz and a gig of ram and nothing to actually process other than ps streams.

    Since its based on working your computers resources perhaps other names could possibly be "RPOW by Jake"? Or "RPOW's of steel"?

    Seriously, what happens next year when its not computationally expensive to compute the tokens? Ew, or what if you are a clever spammer with a degree in electrical engineering and the time to make your own token generating card to sell to all the other spammers on ebay for a small fortune (or you could prove it works by spamming them with advertisements...)?

    Well, its always good to have another device to keep honest folks honest I guess.

  • Apparently, RPOWs are a way of throttling down incoming requests by forcing them to solve a time-consuming puzzle. You would want to do this to mitigate DOS attacks.

    Here's the question for those who know more, i.e., anyone who knows anything about this. Won't this necessarily and dramatically increase request time? It should impose no (significant) additional load on the server, but won't this mean that requests take x*response time to begin?
  • Russian Black Market (Score:2, Informative)

    by Sv-Manowar (772313)
    so when will a black market pop up for cracked ones ;)
  • by kanweg (771128) on Wednesday August 18, 2004 @10:59AM (#10002432)
    Now, if this concept of having the sender do something is changed into having the sender do useful (Folding at home or another distributed computing project), it would be a nice twist.

    Bert
  • by Albanach (527650) on Wednesday August 18, 2004 @11:00AM (#10002441) Homepage
    Spammers don't send spam, unpatched windows boxes do. Loads of folk here must be getting calls form folk saying "my net connection's slow" you take a look and the machine is infested.

    All this means is that, as well as the net connection being slow, the processor will be running overtime calculating the checksums. The spammers will send as many emails as ever.

    SPF has to be one of the easiest measures we can take to reduce spam. Spamassassin is about to hit 3.0 RC1 and many more of us will be able to easily associate scores with SPF records. As soon as mail has to originate from the correct domain we get better spam checking and a paper trail for the authorities to follow. If you don't have SPF records for your domain, head on over here [pobox.com] or here [infinitepenguins.net] and set them up.

    • SPF has to be one of the easiest measures we can take to reduce spam.

      Yeah, except that it was never intended for that purpose, and doesn't have any features to do anything to prevent spam. But other than those two minor points, it's perfect.
    • All this means is that, as well as the net connection being slow, the processor will be running overtime calculating the checksums. The spammers will send as many emails as ever.

      Wrong. The processor will certainlty be bogged down generating tokens, but the net connection will be wide open if it can only generate one token and send one spam every 4 or 5 minutes.

      And no, even 10 minutes wouldn't be a problem for normal email users. The very first time you launch your mail program it can start generating a t
      • Let's follow this logic for a mailing list... let's call it LKML, just to pick a random name.

        Now, I send mail to LKML. The protocol can work one of two ways: 1) use my token in the 50,000 messages taht are sent out 2) generate its own token for all 50,000 messages 3) generate a unique token for each of 50,000 messages.

        Plan 1 is abusable thusly: a) spammer has "token machine" which generates the spam b) spammer has "mailing list" machine which disperses the mail to thousands of hapless end-users.

        Plan 2 is
        • mailing list

          Any non-moderated list like that is going to be tough to secure.

          The protocol can work one of two ways: 1) 2) 3)

          Two ways, 123? Chuckle.

          Actually 4) anyone who signs up for a mailing list should be white-filtering it. No need for 50,000 tokens. And when someone signs up for such a list you request a really expensive token. Maybe someone even needs to leave their computer running overnight to sign up.

          Someone can still attack the list with a number of machines, but you always has that risk. A
  • Instead, require that someone complete a seti@home, folding@home, distributed encryption cracking, or similar work unit before they can send you an email. That way at least the CPU power is going somewhere worthy instead of just being a waste of electricity.
  • That's one thing about RPOW and hashcash that strikes me just a little off. All of this 'work' that we're paying with is just useless busy-work. It's worthless calculation, they're just measuring our willingness to waste our computer's time in order to send them an email.

    How about if:

    They team up with SETI@home, folding@home, and the like. When you turn in a work unit, they have a secure arrangement with some sort of postage stamp server, and you get sent the stamp. This only makes sense with a central st
  • by PetiePooo (606423) on Wednesday August 18, 2004 @12:24PM (#10003482)
    From the article:
    The RPOW server is running on a high-security processor card, the IBM 4758 Secure Cryptographic Coprocessor, validated to FIPS-140 level 4. ... Please keep in mind that if there are problems I may need to reload the server code, which will invalidate any RPOW tokens which people have previously created.

    So, in other words, it passes out little tokens that are worth something ... but just until the server is taken out.

    Ok, so its running FIPS-certified code on FIPS-certified hardware. Still, how sure can you be that it will keep running 24/365 for years on end? If that private key is needed for proof of authenticity, and that key never leaves the board, that makes it, among other things, one heckuva terrorist target.

UFOs are for real: the Air Force doesn't exist.

Working...