[cryptography] Asynchronous forward secrecy encryption

Trevor Perrin trevp at trevp.net
Mon Sep 30 18:40:32 EDT 2013

On Sun, Sep 29, 2013 at 8:57 AM, Michael Rogers
<michael at briarproject.org> wrote:
> We're also planning to support introductions through mutually trusted
> third parties.
> Alice and Carol must trust Bob not to MITM the key exchange.

It'd be nice if Alice and Carol could use some additional, out-of-band
channel to authenticate the ephemeral DH exchange.

Best I can think of are short auth strings (SAS), public-key
fingerprints (if you added long-term "identity keys"), and PAKE.

The tradeoffs are something like:
 * Key fingerprints and SAS are non-secret (unlike PAKE passwords)
 * SAS and PAKE can use short strings of several chars (unlike fingerprints)
 * Fingerprints can be exchanged before *or* after the ephemeral DH
handshake (unlike PAKE passwords or SAS)
 * Fingerprints can be confirmed with 3rd parties or public records
(unlike PAKE passwords or SAS)
 * Fingerprints and PAKE can be compatible with a single, unordered
handshake exchange of ephemeral DH values, unlike SAS


More information about the cryptography mailing list