[cryptography] Asynchronous forward secrecy encryption
c1.devrandom at niftybox.net
Mon Sep 23 00:12:20 EDT 2013
On 09/16/2013 04:45 AM, Marco Pozzato wrote:
> Hi all,
> I'm looking for an asynchronous messaging protocol with support for
> forward secrecy: I found some ideas, some abstract paper but nothing
> ready to be used.
I've been thinking about this for a while now and I don't see a way to
do this with today's mobile devices without some external help.
The issue is that it's pretty much impossible to delete data securely
from a flash device. That means that in order to guarantee PFS, you
have to store the keys in memory only. But again, in a mobile
environment, you don't have access to stable memory either, because of
the OS restarting your app, or the device itself rebooting.
Let's call this the persistence/deletion issue.
So, I submit that PFS in async messaging is impossible without help from
some kind of ephemeral, yet persistent storage. A possible solution
might be to store a portion of the key material (through Shamir's secret
sharing) on servers that you partially trust.
> OTR seems the preeminent protocol, but does not have support for
> asynchronous communication.
> This post https://whispersystems.org/blog/asynchronous-security/
> describes an interesting variation on OTR: the basic idea is to
> precalculate 100 Diffie-Hellman and consume one at every new message.
Moxie's idea doesn't seem to solve the persistence/deletion issue.
> On the opposite side, for OpenPGP lovers, I found an old
> extension http://tools.ietf.org/html/draft-brown-pgp-pfs-01 which
> adopt the same approach, using many short-lived keys, which frequently
> expire (eg: every week) and are deleted.
"deleted"... same issue.
> They are both clever ideas to provide PFS, but what does it mean to
> the average user? Let say that today I discover an attack run on 1st
> of August:
> * OTR variation: I do not know which messages were wiretapped. 100
> messages could spawn few hours or two months.
> * OpenPGP: I know I lost messages sent in the first week of August.
> What do you think about it?
> cryptography mailing list
> cryptography at randombit.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography