← Back to context

Comment by echoangle

1 year ago

I don’t really understand how the protocol can ensure that the server can’t identify the client.

As far as I understand, the client sends some information A to the server, the server applies some private key X and returns the output B to the client, which then generates tokens C from the output.

If the server uses a different X for every user and then when verifying just checks the X of every user to see which one is valid, couldn’t the server know who created the token?

15 comments

echoangle

Reply
jerf  1 year ago

Here's a resource I found that walks through the ideas of the protocol, starting with simple implementations that have a problem, and then solving the problem one by one: https://privacypass.github.io/protocol/

I think that's the best conceptual overview of a crypto protocol I've ever seen.

  • dan353hehe  1 year ago

    That is an excellent explanation of how the protocol works. Thank you for bringing it to the discussion!

  • kayson  1 year ago

    I really love this style of explanation. There was another one I saw recently (OIDC, I think?) that I wish I'd bookmarked but I forgot to

stebalien  1 year ago

See section 5.5 of the linked paper https://petsymposium.org/popets/2018/popets-2018-0026.php. I'm not sure if/how Kagi implemented this, but the idea is that Kagi's "public" component can be committed to publicly (e.g., in the browser extension itself).

  • abound  1 year ago

    [I implemented this at Kagi]

    And you can validate this, if you try to issue a Privacy Pass search without a private token, you'll get a `WWW-Authenticate` header that kicks off the handshake, and that should be the same for all users for a given epoch (month). E.g.

        curl -v -H 'X-Kagi-PrivacyPass-Client: true' 'https://kagi.com/search?q=test'

    • echoangle  1 year ago

      But how do I validate that I’m actually getting the same value as everyone else? Is the value I should get published somewhere (in a verifiable and not editable way) so I can see that I’m not being tracked?

      Or does the extension validate this and the correct value is hardcoded in the extension like stebalien suggested?

      5 replies →

wasabi991011  1 year ago

In the simplest terms, the token generation process B->C is done with the user's private key. So even if the server knows A,X,B they can't link it to the token C.

  • echoangle  1 year ago

    But if the server is allowed to vary X, it can basically act like different servers to each client, and can then when given a token check for which server would have been valid. The solution I got from the other replies is to make sure that the server uses the same X for everyone by verifying it as a client.

    • faeranne  1 year ago

      It appears that the public side of X is sent as the first part of the handshake, without any login info yet, and can be verified as part of B, thus a varying X would be easy to detect... I think.