[cryptography] Asynchronous forward secrecy encryption

ianG iang at iang.org
Wed Sep 18 03:23:03 EDT 2013

On 18/09/13 00:01 AM, Michael Rogers wrote:
> Hash: SHA1
> Hi Marco,
> This is a problem we're working on as part of the Briar project. Our
> approach is pretty simple: establish a shared secret when you first
> communicate, periodically run that secret through a one-way function
> to get a new shared secret, and destroy the old one. Symmetric keys
> for encryption and authentication are derived from the current shared
> secret.

If I compromise your first shared secret, does that mean every shared 
secret thereafter is compromised?

> The rotation period depends on the latency of the underlying
> communication channel. For example, if you're communicating by email,
> you might rotate to a new shared secret once a week, to allow the
> other party to spend a week offline without losing any messages.

How do you coordinate between endpoints for the rotation?  Is it 
strictly time-based?  Or is there some sense of "searching the space" by 
hashing forward multiple rotations until the message decrypts?

> On
> the other hand if you're communicating by SD cards attached to
> migrating geese, you might rotate less often.

Ah, but does it consider the pâté attack?  ;)

> On 16/09/13 12:45, Marco Pozzato wrote:

>> I'm looking for an asynchronous messaging protocol with support
>> for forward secrecy: I found some ideas, some abstract paper but
>> nothing ready to be used.

Without some idea of the problem space you are trying to address, it's 
hard to do more than pluck ideas from existing protocols.


More information about the cryptography mailing list