[liberationtech] Open Whisper Systems' neat asynch FPS "pre-keying"

Eugen Leitl eugen at leitl.org
Fri Aug 23 05:50:50 PDT 2013 

----- Forwarded message from elijah <elijah at riseup.net> -----

Date: Thu, 22 Aug 2013 23:46:10 -0700
From: elijah <elijah at riseup.net>
To: liberationtech <liberationtech at lists.stanford.edu>
Subject: Re: [liberationtech] Open Whisper Systems' neat asynch FPS "pre-keying"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8
Reply-To: liberationtech <liberationtech at lists.stanford.edu>

On 08/22/2013 08:09 PM, Tom Ritter wrote:

>> https://whispersystems.org/blog/asynchronous-security/ Since these
>> key exchange parts are ephemeral, recording ciphertext traffic
>> doesn’t help a would-be adversary, since there is no durable key
>> for them to compromise in the future.
> 
> I disagree.  PFS traffic today protected with 1024-bit DH will be 
> readable in 10 years, if not sooner, to organizations like the NSA. 
> In twice that time it may be cheap enough to be decryptable on a
> mass scale.

Well, to be fair to moxie, TextSecure uses a modified OTR that uses ECC,
afaik.

> Anyway, that's a nit.  My first thought is that the nastiest part of 
> this protocol is that Bob (a client) is trusting the server to give
> it legitimate keys for Alice (the other client.)  The server can lie,
> and hand out fradulent keys (I'll call one KeyF as opposed to a legit
> one KeyA).

I think this criticism is also a bit unfair. The scheme of using
generating prekeys for later key agreement is pretty clever. With this,
moxie is not trying to solve, or claiming to have solved, the larger
problem of binding user account to public key. For the binding problem,
he is completely punting, and relying on a central authority, afaik,
which is awful and horrible for all the reasons you state. But the key
agreement part is cooool.

If you could solve the binding problem some other way, then moxie's
prekey approach could be used for all kinds of things, even email.

For the user public key binding problem, you have a proposal [0], I have
a proposal [1], Paul Wouters has a proposal [2], there are probably
several more people on the list with proposals too. One of them will
probably work, eventually. And when one does, the prekey approach to key
agreement could come in very handy.

-elijah

[0] unpublished UEE protocol
[1] https://leap.se/en/nicknym
[2] https://datatracker.ietf.org/doc/draft-wouters-dane-openpgp/
-- 
Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5

More information about the cypherpunks mailing list