[cryptography] Asynchronous forward secrecy encryption

Dev Random c1.devrandom at niftybox.net
Mon Sep 23 00:12:20 EDT 2013

On 09/16/2013 04:45 AM, Marco Pozzato wrote:
> Hi all,
> I'm looking for an asynchronous messaging protocol with support for
> forward secrecy: I found some ideas, some abstract paper but nothing
> ready to be used.

I've been thinking about this for a while now and I don't see a way to
do this with today's mobile devices without some external help.

The issue is that it's pretty much impossible to delete data securely
from a flash device.  That means that in order to guarantee PFS, you
have to store the keys in memory only.  But again, in a mobile
environment, you don't have access to stable memory either, because of
the OS restarting your app, or the device itself rebooting.

Let's call this the persistence/deletion issue.

So, I submit that PFS in async messaging is impossible without help from
some kind of ephemeral, yet persistent storage.  A possible solution
might be to store a portion of the key material (through Shamir's secret
sharing) on servers that you partially trust.

> OTR seems the preeminent protocol, but does not have support for
> asynchronous communication.
> This post https://whispersystems.org/blog/asynchronous-security/
> describes an interesting variation on OTR: the basic idea is to
> precalculate 100 Diffie-Hellman and consume one at every new message.

Moxie's idea doesn't seem to solve the persistence/deletion issue.

> On the opposite side, for OpenPGP lovers, I found an old
> extension http://tools.ietf.org/html/draft-brown-pgp-pfs-01 which
> adopt the same approach, using many short-lived keys, which frequently
> expire (eg: every week) and are deleted.

"deleted"...  same issue.

> They are both clever ideas to provide PFS, but what does it mean to
> the average user? Let say that today I discover an attack run on 1st
> of August: 
>   * OTR variation: I do not know which messages were wiretapped. 100
>     messages could spawn few hours or two months.
>   * OpenPGP: I know I lost messages sent in the first week of August. 
> What do you think about it?
> Marco
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130922/7743f636/attachment.html>

More information about the cryptography mailing list