[cryptography] Asynchronous forward secrecy encryption

Michael Rogers michael at briarproject.org
Sun Sep 29 11:57:51 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 24/09/13 07:52, Trevor Perrin wrote:
> On Mon, Sep 23, 2013 at 4:51 AM, Michael Rogers
>> The key agreement starts with a hash commitment, followed by an 
>> exchange of ephemeral ECDH public keys. Two short authentication 
>> strings (again, six decimal digits) are derived from the shared 
>> secret; the users exchange the authentication codes verbally to 
>> complete the process.
> 
> Sounds reasonable but you'll need a 3-way handshake for the short
> auth strings, which could be awkward in an "asynchronous
> messaging" scenario.

Good point, I should've mentioned that the key exchange protocol is
designed to be carried out face to face; it requires a low-latency
duplex channel, such as wifi or Bluetooth.

We're also planning to support introductions through mutually trusted
third parties. The protocol for Alice to introduce Bob and Carol to
each other will look something like this:

Bob -> Alice: I'd like to introduce you to Carol
Bob -> Carol: I'd like to introduce you to Alice
Alice -> Bob: OK, here's a single-use public key I just generated
Carol -> Bob: OK, here's a single-use public key I just generated
Bob -> Alice: Here's Carol's single-use public key and contact details
Bob -> Carol: Here's Alice's single-use public key and contact details
Alice -> Bob: I've deleted my private key and started key rotation
Carol -> Bob: I've deleted my private key and started key rotation
Bob -> Alice: Carol has started key rotation, you can contact her now
Bob -> Carol: Alice has started key rotation, you can contact her now

This process requires two-way communication between Alice and Bob, and
between Bob and Carol, but that communication can be asynchronous and
long distance.

Alice and Carol must trust Bob not to MITM the key exchange. If they
ever meet face to face, they can carry out a fresh key exchange with
short authentication strings to check that Bob didn't MITM them.

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJSSE3/AAoJEBEET9GfxSfMo7MIAKeQDFLChMyKBBuzmSq29/Wc
rI5HXiCD6CoPj6AU+TrFlpl+WknM/PlqTtYR1RXxmE2uDKyTUij5+ntZhvLg70uG
9D64bAW8gZ41T+MIMp1+7e55XYQt2+WcZen7Cmk78PFuMvexqtOI8OZShfqKYm/y
rwpn5YfC7qV5mqJRM90PfwmEKgoom4mzl0VBw39SMjtXA1vHd4bEBseiAcp3d0h4
momQLGcd5ELbI3n2AfX8grFOcF4QuYBxHRK+bESdzSkKy40cBzdI3T5jaBvRQz5O
SAdrvcw/XR/B40hXc8kzrLuFDPezpAa6ReGwB2ioa0IPJsxXVWpRS/QjmKwo+Xs=
=3Q27
-----END PGP SIGNATURE-----


More information about the cryptography mailing list