[cryptography] Asynchronous forward secrecy encryption

Michael Rogers michael at briarproject.org
Thu Oct 3 11:19:17 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 30/09/13 23:40, Trevor Perrin wrote:
> It'd be nice if Alice and Carol could use some additional,
> out-of-band channel to authenticate the ephemeral DH exchange.

To fill in some background: the use case for this feature is
introducing two people who aren't face-to-face right now and don't
share an authenticated channel, but who each share a confidential and
authenticated channel with a third party.

Users aren't assumed to know which channels are confidential or
authenticated, so we shouldn't create any opportunities for mistakes
in that regard. I think that rules out PAKE.

> Best I can think of are short auth strings (SAS), public-key 
> fingerprints (if you added long-term "identity keys"), and PAKE.
> 
> The tradeoffs are something like: * Key fingerprints and SAS are
> non-secret (unlike PAKE passwords) * SAS and PAKE can use short
> strings of several chars (unlike fingerprints) * Fingerprints can
> be exchanged before *or* after the ephemeral DH handshake (unlike
> PAKE passwords or SAS) * Fingerprints can be confirmed with 3rd
> parties or public records (unlike PAKE passwords or SAS) *
> Fingerprints and PAKE can be compatible with a single, unordered 
> handshake exchange of ephemeral DH values, unlike SAS

Thanks, this is a really useful comparison.

Perhaps we can combine some of the advantages of fingerprints and SAS:

* The introducees exchange single-use public keys, signed with their
long-term private keys, via the introducer
* The introducees derive a shared secret, destroy their single-use
private keys, and start key rotation
* The introducees exchange acks via the introducer
* The introducees can optionally obtain each other's long-term public
keys from other third parties, before or after the introduction
* If the introducees meet face-to-face, they can confirm each other's
long-term public keys using SAS:
  - The users verbally exchange short codes to enable their devices to
find each other over a short-range transport such as wifi
  - The devices exchange hash commitments and ephemeral public keys
  - The users verbally exchange short authentication strings
  - If the strings match, the devices derive symmetric encryption and
authentication keys from the ephemeral shared secret
  - Within the ephemeral secure channel, the devices exchange
long-term public keys and a value derived from the current temporary
secret, signed with their long-term private keys, as verification that
they own those keys and have the same shared secret
* Nobody signs anything that proves who their contacts are

Any thoughts on cryptographic or usability aspects?

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJSTYr1AAoJEBEET9GfxSfMYx8H/0RxYl3gEqu7KUz/D5053o2T
2cZIUopdSiZs6SYH2gnTzrGPXAyd3xvGMmTFKV40EAWdix1+ZHpg6fs1i7wWZ6Q9
NbUNX5C1L8hbmMI4aK0ebq69J54N/iZqiQte/utQ3fwjq28U0xARuwq5VqPuJRlS
2TGt5tZG9tN5vAtb3R8I94OGwpF1PwFYEpUlyhG7LRRSoQBV5Xw5QwDaf7VKkeBM
UoZ6JlAjI0wl17U01E6dYHmZpcq10EZ+BTomD+Kw1lioPGj15S97a4odOo0y2gd+
0uW+yXoVRhRO4Hq2f9HPfMhoNE34eXt9ube1a6PrOmXMT2Dan/g10cVSOowZRMw=
=O6PJ
-----END PGP SIGNATURE-----


More information about the cryptography mailing list