[cryptography] Asynchronous forward secrecy encryption
michael at briarproject.org
Mon Sep 23 07:51:21 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Thanks Trevor and Adam for your comments on this - I take your point
about the importance of forward secrecy for metadata, so I'll abandon
the idea of using ephemeral-static ECDH to protect the metadata.
On 20/09/13 01:55, Trevor Perrin wrote:
> Interesting, are the codes passwords? Short Auth Strings?
Each endpoint generates a random code (19 bits, represented as 6
decimal digits). The users exchange codes verbally, and the endpoints
use the two codes to find each other and obfuscate the key agreement.
The meaning of "find each other" depends on the communication channel;
in the case of Bluetooth, the endpoints use the codes to generate a
Bluetooth service UUID; each endpoint advertises a service with that
UUID, looks for nearby devices advertising that UUID, and makes an
unpaired RFCOMM connection to any it finds.
The key agreement starts with a hash commitment, followed by an
exchange of ephemeral ECDH public keys. Two short authentication
strings (again, six decimal digits) are derived from the shared
secret; the users exchange the authentication codes verbally to
complete the process.
> (Elligator + DH-EKE makes a nice PAKE, fwiw.)
Thanks, I'll look into it. The protocol I described above is (loosely
ZRTP-inspired) homebrew, and it would be nice to move to something
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the cryptography