[cryptography] Asynchronous forward secrecy encryption

Michael Rogers michael at briarproject.org
Tue Sep 17 17:01:35 EDT 2013

Hash: SHA1

Hi Marco,

This is a problem we're working on as part of the Briar project. Our
approach is pretty simple: establish a shared secret when you first
communicate, periodically run that secret through a one-way function
to get a new shared secret, and destroy the old one. Symmetric keys
for encryption and authentication are derived from the current shared

The rotation period depends on the latency of the underlying
communication channel. For example, if you're communicating by email,
you might rotate to a new shared secret once a week, to allow the
other party to spend a week offline without losing any messages. On
the other hand if you're communicating by SD cards attached to
migrating geese, you might rotate less often.


On 16/09/13 12:45, Marco Pozzato wrote:
> Hi all,
> I'm looking for an asynchronous messaging protocol with support
> for forward secrecy: I found some ideas, some abstract paper but
> nothing ready to be used.
> OTR seems the preeminent protocol, but does not have support for 
> asynchronous communication. This post
> https://whispersystems.org/blog/asynchronous-security/ describes an
> interesting variation on OTR: the basic idea is to precalculate 100
> Diffie-Hellman and consume one at every new message.
> On the opposite side, for OpenPGP lovers, I found an old extension
> http://tools.ietf.org/html/draft-brown-pgp-pfs-01 which adopt the
> same approach, using many short-lived keys, which frequently
> expire (eg: every week) and are deleted.
> They are both clever ideas to provide PFS, but what does it mean to
> the average user? Let say that today I discover an attack run on
> 1st of August:
> * OTR variation: I do not know which messages were wiretapped. 100 
> messages could spawn few hours or two months. * OpenPGP: I know I
> lost messages sent in the first week of August.
> What do you think about it?
> Marco
> _______________________________________________ cryptography
> mailing list cryptography at randombit.net 
> http://lists.randombit.net/mailman/listinfo/cryptography

Version: GnuPG v1.4.10 (GNU/Linux)


More information about the cryptography mailing list