IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
ABX Comparator, with digital signature in the log
Steve Forte Rio
post Feb 22 2011, 09:27
Post #1





Group: Members
Posts: 474
Joined: 4-October 08
From: Ukraine
Member No.: 59301



Hello, and sorry for my bad English.

Recently I have uploaded my ABX logs to the one of forums.
But people still don't trust me because the log is a simple text file with no signature and could be rewrited manually.

And I guess is there any ABX Comparator (that works on Windows) which can sign up the abx results log and then to verify it?

This post has been edited by Steve Forte Rio: Feb 22 2011, 09:28
Go to the top of the page
+Quote Post
probedb
post Feb 22 2011, 09:29
Post #2





Group: Members
Posts: 1321
Joined: 6-September 04
Member No.: 16817



It's probably not worth it as the sort of people that aren't believing you will say you forged any signatures anyways. Some people just don't want to believe smile.gif
Go to the top of the page
+Quote Post
Peter
post Feb 22 2011, 10:02
Post #3


foobar2000 developer


Group: Admin
Posts: 3314
Joined: 30-September 01
Member No.: 84



Even if you can write signatures confirming the results claimed in the log, you can still cheat by repeating the whole test until you get the results you want.
Go to the top of the page
+Quote Post
Steve Forte Rio
post Feb 22 2011, 10:22
Post #4





Group: Members
Posts: 474
Joined: 4-October 08
From: Ukraine
Member No.: 59301



QUOTE (probedb @ Feb 22 2011, 06:29) *
It's probably not worth it as the sort of people that aren't believing you will say you forged any signatures anyways. Some people just don't want to believe smile.gif


So then we can say that logs aren't needed too. If people trust you.
The rules of this forum say that abx log is necessary. But what sense does it have, when it can be forged in a couple of seconds?

Other options of fraud are much less likely.

We must understand that when a dispute arises between people, we need as much hard evidence as possible and plain text is not best way out here.

This post has been edited by Steve Forte Rio: Feb 22 2011, 10:47
Go to the top of the page
+Quote Post
dhromed
post Feb 22 2011, 11:49
Post #5





Group: Members
Posts: 1339
Joined: 16-February 08
From: NL
Member No.: 51347



An ABX log provides a starting point for the reproducibility of the results. It's a call to action that says "Hey guys, I measured this. You give it a try as well and see what you find."

Also, don't post an ABX log without providing samples of the audio you used (if necessary), the properties of those samples, and if relevant, the conditions under which you conducted the experiment. If you don't, it's indeed exactly as pointless as just claiming your hear a difference.

And yes, you can forge the audio samples as well and lie about your experiment, but it's a lot more work, and the more reputable, experienced members of this forum are more likely to see through the deception.
Go to the top of the page
+Quote Post
PaJaRo
post Feb 22 2011, 12:21
Post #6





Group: Members
Posts: 101
Joined: 12-June 08
Member No.: 54275



QUOTE (probedb @ Feb 22 2011, 09:29) *
It's probably not worth it as the sort of people that aren't believing you will say you forged any signatures anyways. Some people just don't want to believe smile.gif

How can you forge Pgp signatures?
Go to the top of the page
+Quote Post
benski
post Feb 22 2011, 18:41
Post #7


Winamp Developer


Group: Developer
Posts: 670
Joined: 17-July 05
From: Brooklyn, NY
Member No.: 23375



QUOTE (PaJaRo @ Feb 22 2011, 06:21) *
QUOTE (probedb @ Feb 22 2011, 09:29) *
It's probably not worth it as the sort of people that aren't believing you will say you forged any signatures anyways. Some people just don't want to believe smile.gif

How can you forge Pgp signatures?


Because the private key will have to be embedded into the application and therefore is extractable.
Go to the top of the page
+Quote Post
pdq
post Feb 22 2011, 19:19
Post #8





Group: Members
Posts: 3450
Joined: 1-September 05
From: SE Pennsylvania
Member No.: 24233



A major purpose of posting ABX logs is that so many newcomers don't understand their results, so it gives us an opportunity to enlighten them.
Go to the top of the page
+Quote Post
Steve Forte Rio
post Feb 22 2011, 20:11
Post #9





Group: Members
Posts: 474
Joined: 4-October 08
From: Ukraine
Member No.: 59301



But what about the case when I need to proof that I really hear the difference?

Note that not all people can guess to use such options of fraud like connecting oscilloscope to the soundcard's output, forging of Pgp signatures, and other tricks. But anyone can rewrite txt file.

So if we will introduce the ability of adding a signature, we'll achieve a significant reduction in the probability of a log forging.

It is not too difficult, but effective. I think we should do it.
Go to the top of the page
+Quote Post
PaJaRo
post Feb 22 2011, 23:39
Post #10





Group: Members
Posts: 101
Joined: 12-June 08
Member No.: 54275



QUOTE (benski @ Feb 22 2011, 18:41) *
QUOTE (PaJaRo @ Feb 22 2011, 06:21) *
QUOTE (probedb @ Feb 22 2011, 09:29) *
It's probably not worth it as the sort of people that aren't believing you will say you forged any signatures anyways. Some people just don't want to believe smile.gif

How can you forge Pgp signatures?


Because the private key will have to be embedded into the application and therefore is extractable.

The test can be client-server (ie, via web), store private key on server.
Go to the top of the page
+Quote Post
googlebot
post Feb 22 2011, 23:53
Post #11





Group: Members
Posts: 698
Joined: 6-March 10
Member No.: 78779



QUOTE (Steve Forte Rio @ Feb 22 2011, 20:11) *
I think we should do it.


Nice, when will you start coding?
Go to the top of the page
+Quote Post
googlebot
post Feb 22 2011, 23:57
Post #12





Group: Members
Posts: 698
Joined: 6-March 10
Member No.: 78779



QUOTE (PaJaRo @ Feb 22 2011, 23:39) *
The test can be client-server (ie, via web), store private key on server.


Great, now the key is on the server, which will happily sign anything that looks like an ABX result.
Go to the top of the page
+Quote Post
PaJaRo
post Feb 23 2011, 00:49
Post #13





Group: Members
Posts: 101
Joined: 12-June 08
Member No.: 54275



QUOTE (googlebot @ Feb 22 2011, 23:57) *
QUOTE (PaJaRo @ Feb 22 2011, 23:39) *
The test can be client-server (ie, via web), store private key on server.


Great, now the key is on the server, which will happily sign anything that looks like an ABX result.

Client sends your answers to the sever, Server processes the answers and generates gped result. Nothing wrong.

This post has been edited by PaJaRo: Feb 23 2011, 00:51
Go to the top of the page
+Quote Post
googlebot
post Feb 23 2011, 01:16
Post #14





Group: Members
Posts: 698
Joined: 6-March 10
Member No.: 78779



How does server know that what he signs is valid? A modified client can send fake results and it will happily sign them.

This post has been edited by googlebot: Feb 23 2011, 01:17
Go to the top of the page
+Quote Post
PaJaRo
post Feb 23 2011, 01:22
Post #15





Group: Members
Posts: 101
Joined: 12-June 08
Member No.: 54275



{
Server sends audio to client and asks: is it A or is it B?;
Client: sends answer to server: it's A.
Server: check if its correct.
} repeat until n
Server generates report.
Server signs report.
Server sends signed report.
Go to the top of the page
+Quote Post
googlebot
post Feb 23 2011, 01:32
Post #16





Group: Members
Posts: 698
Joined: 6-March 10
Member No.: 78779



{
Server sends audio to client and asks: is it A or is it B?;
FakeClient: detect if audio is identical to last received audio (trivial), display result, send answer to server.
Server: check if its correct.
} repeat until n
Server generates report.
Server signs report.
Server sends signed report.

This post has been edited by googlebot: Feb 23 2011, 01:41
Go to the top of the page
+Quote Post
PaJaRo
post Feb 23 2011, 01:45
Post #17





Group: Members
Posts: 101
Joined: 12-June 08
Member No.: 54275



Here, you are not talking about signing robustness or possible use in this case. My reply was about that.
Now you are talking about another issue. Even if you use your fake client, you stil don't know if it is A or B.
Last but not least. As the OP stated, it's trivial to edit a text file (thing which prevents pgp), but it's not that trivial to develop a fake client.
Go to the top of the page
+Quote Post
googlebot
post Feb 23 2011, 02:00
Post #18





Group: Members
Posts: 698
Joined: 6-March 10
Member No.: 78779



Your proposed client/server solution does not add any security over an embedded key. The whole extra effort to have a server running 24/7 is pointless.

In my experience, faking a simple protocol would even be easier than extracting a key, when it is implemented with some thought.
Go to the top of the page
+Quote Post
PaJaRo
post Feb 23 2011, 02:28
Post #19





Group: Members
Posts: 101
Joined: 12-June 08
Member No.: 54275



-The server doesn't need to be 24/7, it doesn't even need to be web. Client can run OP computer and server on the other guy's computer.
QUOTE (googlebot @ Feb 23 2011, 02:00) *
Your proposed client/server solution does not add any security over an embedded key.

I've never stated that my solution adds security over an embedded key.
I only said that pgp signature(if private key is secure, iein a secure server) is not possible to forge. You were the one saying it was not true and showing you don't understand how private/public key encryption or client/server apps work


Go to the top of the page
+Quote Post
googlebot
post Feb 23 2011, 09:58
Post #20





Group: Members
Posts: 698
Joined: 6-March 10
Member No.: 78779



QUOTE (PaJaRo @ Feb 23 2011, 02:28) *
-The server doesn't need to be 24/7, it doesn't even need to be web. Client can run OP computer and server on the other guy's computer.


It doesn't matter where or how long it runs if there is no benefit.

QUOTE (PaJaRo @ Feb 23 2011, 02:28) *
I've never stated that my solution adds security over an embedded key.


So it was senseless to mention it?

QUOTE (PaJaRo @ Feb 23 2011, 02:28) *
I only said that pgp signature(if private key is secure, iein a secure server) is not possible to forge.


The challenge in cryptography isn't getting it right in theory, where sufficiently long private keys are expected (not proven) to be unrecoverable from public keys or signatures, but actual implementation. Over 99.9% of all breaches happen because of flaws wrt the latter. The solution, that you have proposed to prevent forgery by key extraction, does in practice allow forged signatures, and even quite easily.

QUOTE (PaJaRo @ Feb 23 2011, 02:28) *
You were the one saying it was not true and showing you don't understand how private/public key encryption or client/server apps work


Please, read the thread again, and if you then still have an intense feeling of having been right the whole time - much louder than a few little snippets of reason that may (hopefully) have passed your mind briefly - please let me know, so that I don't waste my time on you again.

This post has been edited by googlebot: Feb 23 2011, 10:08
Go to the top of the page
+Quote Post
RonaldDumsfeld
post Feb 23 2011, 13:07
Post #21





Group: Members
Posts: 351
Joined: 12-June 09
Member No.: 70617



With all due respect to the OP this proposal is not only unnecessary it's also possibly counter productive.

Whatever someone claims to have 'proven' with his 'evidence' ought to be less significant than you having the ability to repeat the test and decide for yourself. That's how scientific progress is made. In any field of inquiry.

Whats important is that the claimant provides the samples and methodology used so that the claim can be independently verified.
Go to the top of the page
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 28th December 2014 - 18:06