[cryptography] Asynchronous forward secrecy encryption
trevp at trevp.net
Mon Sep 30 18:40:32 EDT 2013
On Sun, Sep 29, 2013 at 8:57 AM, Michael Rogers
<michael at briarproject.org> wrote:
> We're also planning to support introductions through mutually trusted
> third parties.
> Alice and Carol must trust Bob not to MITM the key exchange.
It'd be nice if Alice and Carol could use some additional, out-of-band
channel to authenticate the ephemeral DH exchange.
Best I can think of are short auth strings (SAS), public-key
fingerprints (if you added long-term "identity keys"), and PAKE.
The tradeoffs are something like:
* Key fingerprints and SAS are non-secret (unlike PAKE passwords)
* SAS and PAKE can use short strings of several chars (unlike fingerprints)
* Fingerprints can be exchanged before *or* after the ephemeral DH
handshake (unlike PAKE passwords or SAS)
* Fingerprints can be confirmed with 3rd parties or public records
(unlike PAKE passwords or SAS)
* Fingerprints and PAKE can be compatible with a single, unordered
handshake exchange of ephemeral DH values, unlike SAS
More information about the cryptography