[cryptography] Asynchronous forward secrecy encryption

Michael Rogers michael at briarproject.org
Thu Oct 3 11:19:17 EDT 2013

Hash: SHA1

On 30/09/13 23:40, Trevor Perrin wrote:
> It'd be nice if Alice and Carol could use some additional,
> out-of-band channel to authenticate the ephemeral DH exchange.

To fill in some background: the use case for this feature is
introducing two people who aren't face-to-face right now and don't
share an authenticated channel, but who each share a confidential and
authenticated channel with a third party.

Users aren't assumed to know which channels are confidential or
authenticated, so we shouldn't create any opportunities for mistakes
in that regard. I think that rules out PAKE.

> Best I can think of are short auth strings (SAS), public-key 
> fingerprints (if you added long-term "identity keys"), and PAKE.
> The tradeoffs are something like: * Key fingerprints and SAS are
> non-secret (unlike PAKE passwords) * SAS and PAKE can use short
> strings of several chars (unlike fingerprints) * Fingerprints can
> be exchanged before *or* after the ephemeral DH handshake (unlike
> PAKE passwords or SAS) * Fingerprints can be confirmed with 3rd
> parties or public records (unlike PAKE passwords or SAS) *
> Fingerprints and PAKE can be compatible with a single, unordered 
> handshake exchange of ephemeral DH values, unlike SAS

Thanks, this is a really useful comparison.

Perhaps we can combine some of the advantages of fingerprints and SAS:

* The introducees exchange single-use public keys, signed with their
long-term private keys, via the introducer
* The introducees derive a shared secret, destroy their single-use
private keys, and start key rotation
* The introducees exchange acks via the introducer
* The introducees can optionally obtain each other's long-term public
keys from other third parties, before or after the introduction
* If the introducees meet face-to-face, they can confirm each other's
long-term public keys using SAS:
  - The users verbally exchange short codes to enable their devices to
find each other over a short-range transport such as wifi
  - The devices exchange hash commitments and ephemeral public keys
  - The users verbally exchange short authentication strings
  - If the strings match, the devices derive symmetric encryption and
authentication keys from the ephemeral shared secret
  - Within the ephemeral secure channel, the devices exchange
long-term public keys and a value derived from the current temporary
secret, signed with their long-term private keys, as verification that
they own those keys and have the same shared secret
* Nobody signs anything that proves who their contacts are

Any thoughts on cryptographic or usability aspects?


Version: GnuPG v1.4.10 (GNU/Linux)


More information about the cryptography mailing list