[cryptography] Asynchronous forward secrecy encryption

zooko zooko at zooko.com
Thu Sep 26 16:08:32 EDT 2013


Let me just mention that this conversation is AWESOME. I only wish the folks
over at Perry's Crypto List (http://www.metzdowd.com/pipermail/cryptography/)
knew that we were having such a great conversation over here.

On Thu, Sep 19, 2013 at 09:20:04PM +0100, Michael Rogers wrote:
>
> The key reuse issue isn't related to the choice between time-based and message-based updates. It's caused by keys and IVs in the current design being derived deterministically from the shared secret and the sequence number. If an endpoint crashes and restarts, it may reuse a key and IV with new plaintext. Not good.

Another defense against this is to generate the IV from the plaintext, possibly
from the plaintext in addition to other stuff. There are three things that you
might want to throw into your IV generator: 1. the plaintext, 2. a persistent
secret key used only for this purpose and known only to this client, 3. a
random nonce read from the operating system.

I would suggest including 1 and 2 but not 3.

This *could* be seen as an alternative to the defense you described:

> In the new design, the temporary keys are still derived deterministically from the shared secret, but the IVs and ephemeral keys are random.

Or it could be used as an added, redundant defense. I guess if it is an added,
redundant defense then this is the same as including the random nonce -- number
3 from the list above.

Regards,

Zooko


More information about the cryptography mailing list