[cryptography] Asynchronous forward secrecy encryption

Michael Rogers michael at briarproject.org
Wed Sep 18 10:35:47 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 18/09/13 08:12, Adam Back wrote:
> Or better the actual key used could be derived to fix that.  eg 
> k_{i+1}=H(k_i) delete k_i; but also sk_i=H(1||k_i) then use sk_i 
> values.  In that way you can keep keys for a gap with no security 
> implication other than the missing/delayed message security.
> Other messages that come afterwards would be unaffected.

This is very close to the way we currently derive keys. We also derive
a pseudo-random tag corresponding to each key, which is prepended to
the encrypted data so the recipient can detect reordering (using a
sliding window as in IPSec) and use the correct key.

However, this approach is fragile because it requires persistent
storage of a counter - if the app crashes after using a key but before
persistently storing the updated counter, you can end up reusing a
key. Unfortunately, since hard disks and operating systems lie about
having persistently stored data, this can happen even if you store the
counter and call fsync before using the key. So we're moving to a less
fragile approach:

* Rotate the shared secret periodically
* Derive temporary encryption and authentication keys for each
direction from the current shared secret
* Each time you want to send some data, generate a random IV and
ephemeral encryption and authentication keys
* Use the temporary keys and the random IV to encrypt and authenticate
the ephemeral keys

Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJSObpCAAoJEBEET9GfxSfMrKIH/jfQwJzBaPLx7uKzJdoGHQkJ
8NWSYh3/YePrY8Ukbx9qZUMyBwghRecgf0u/pJeId5+fktgc2u1BVXQCekBIyYCO
YSxmHBDsfQ3cC+5JRMH8U7JwsRMvWDBYJdDCX3IR4ofGJ7+aaJuwqo13vhoToO4C
kkPGvXIvTSpP6YLSvy1wlbHwFy9hb3e3ywvt91jsGvk/nIfBX+eQLEixu/HqjVkN
g6IGvyMgm7B5m5puiodwH7k3fL0vIkdnWAtQZu7S3UztovyFqaJY34NCV+JgusYD
X0cmojyKf1/quePi8exMkeQaibrOPUG3a+O8f+Jhld3Gfv4fyO8EIK3PVoKIMbY=
=2Vz/
-----END PGP SIGNATURE-----


More information about the cryptography mailing list