----- Forwarded message from elijah <elijah@riseup.net> ----- Date: Thu, 22 Aug 2013 23:46:10 -0700 From: elijah <elijah@riseup.net> To: liberationtech <liberationtech@lists.stanford.edu> Subject: Re: [liberationtech] Open Whisper Systems' neat asynch FPS "pre-keying" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 Reply-To: liberationtech <liberationtech@lists.stanford.edu> On 08/22/2013 08:09 PM, Tom Ritter wrote:

...

https://whispersystems.org/blog/asynchronous-security/ Since these key exchange parts are ephemeral, recording ciphertext traffic doesn’t help a would-be adversary, since there is no durable key for them to compromise in the future.

I disagree. PFS traffic today protected with 1024-bit DH will be readable in 10 years, if not sooner, to organizations like the NSA. In twice that time it may be cheap enough to be decryptable on a mass scale.

Well, to be fair to moxie, TextSecure uses a modified OTR that uses ECC, afaik.

Anyway, that's a nit. My first thought is that the nastiest part of this protocol is that Bob (a client) is trusting the server to give it legitimate keys for Alice (the other client.) The server can lie, and hand out fradulent keys (I'll call one KeyF as opposed to a legit one KeyA).

I think this criticism is also a bit unfair. The scheme of using generating prekeys for later key agreement is pretty clever. With this, moxie is not trying to solve, or claiming to have solved, the larger problem of binding user account to public key. For the binding problem, he is completely punting, and relying on a central authority, afaik, which is awful and horrible for all the reasons you state. But the key agreement part is cooool. If you could solve the binding problem some other way, then moxie's prekey approach could be used for all kinds of things, even email. For the user public key binding problem, you have a proposal [0], I have a proposal [1], Paul Wouters has a proposal [2], there are probably several more people on the list with proposals too. One of them will probably work, eventually. And when one does, the prekey approach to key agreement could come in very handy. -elijah [0] unpublished UEE protocol [1] https://leap.se/en/nicknym [2] https://datatracker.ietf.org/doc/draft-wouters-dane-openpgp/ -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys@stanford.edu. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5