OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IRC & Host Masks...
From: Gé Weijers (geprogressive-systems.com)
Date: Tue Aug 22 2000 - 10:36:09 CDT

On Thu, Aug 17, 2000 at 06:55:34PM -0500, Joseph Ashwood wrote:
> That's an easy one. Take the "normal" e-mail address, run it through
> SHA-1, and viola you have an almost certainly unique identifier, that
> it currently believed to be excessively difficult to invert. Take that
> identifier I convert it to hex and create an anonymous e-mail address
> like:
> 0123456789ABCDEF0123456789ABCDEF01234567anon-whatever.com
> Unfortunately they really will be that long, so you may want to
> sacrafice a bit of collision resistance and truncate it.
> If you want to be able to reverse the process instead, that's quite a
> bit more difficult. You may want to have user register for an address
> and link it to a specific "anonymous" address, or maintain a database
> of addresses, simply linking 012345678.........4567 to
> John_Does_82nd_cousinidiot.edu. You would only have to perform
> lookups in the database when you receive an e-mail for an anonymous
> account. You could also require registration for reversability, to
> further protect the people. Just some ideas.
> Joe

You may want to use HMAC with a secret key in stead of SHA, because by
using a plain SHA everybody can verify whether
0123456789ABCDEF0123456789ABCDEF01234567anon-whatever.com is really
joe-blotzspamwizards.net if they have a suspicion. You could also
quickly verify whether the anonymous account maps to any of the
200,000,000 e-mail addresses you collected using your spiffy Carnivore
box. 


-- 
-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220