[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ring] Security issues
|
From: |
Simon Désaulniers |
|
Subject: |
Re: [Ring] Security issues |
|
Date: |
Thu, 29 Jun 2017 21:55:43 -0400 |
|
User-agent: |
NeoMutt/20170306 (1.8.0) |
Hi,
> Thanks for the followup. In terms of practical attacks, I think the
> point of per-message PFS vs longer-term PFS is not critical, as long as
> the time period that a key is maintained is relatively bounded.
PFS is easily achievable using the SCIMP ratchet. I don't see any reason why not
to use it. It's as simple as hashing the key each time you send another message
until you're able to refresh the DH root key (i.e. when your peer comes back
online), therefore gaining back backward secrecy (BS). I'm basically describing
Axolotl ratcheting system. What I want to emphasis is that SCIMP is easy to use
for each message without problem. Indeed, if it's used for audio/video, you
relax this by doing SICMP ratcheting each 30 seconds. That would greatly improve
PFS between two connections without any non-negligible loss of performance.
> One thing that would be good to expand on is, assuming ring supports
> some sort of SMS-like service, how that works in terms of the
> combination of PFS and the other user being offline. Lacking a server,
> I would guess it's just retried until both are online, and then you can
> do the DTLS key agreement. Is that right?
If we speak strictly about text messages, the Signal like (Axolotl ratchet)
protocol is really good idea as it provides PFS in an asynchronous way and
provides nice mechanism to refresh DH root key to gain backward secrecy when
both peers are online (in a common period +/- some accepted parameter delay). I
insist on using more elaborated protocols than (D)TLS as it provides better
mechanisms for asynchronism, PFS, BS altogether.
However, if we also think about group messaging, Signal may not be the best
solution since it was not designed for group messaging initially. One promising
idea is GOTR (2013)~[1]. The main idea of GOTR is the usage of an authenticated
and deniable GKA. It provides nice properties, especially:
- Global transcript consistence;
- Group expansion and contraction;
However, it's strongly synchronous. Therefore, when a peer is offline, the
protocol doesn't provide a way to handle messages we received offline (upon
coming back online). Although, it might be possible to merge the two approaches
of Axolotl and GOTR to make something interesting. Myself and two members of the
Ring team are presently looking into that.
Regards,
[1]: https://www-users.cs.umn.edu/~hopper/gotr.pdf
On Thu, Jun 29, 2017 at 09:28:06PM -0400, Greg Troxel wrote:
>
> Simon Désaulniers <address@hidden> writes:
>
> > Regarding the effect of OTR, Axolotl on PFS asked on the stackexchange
> > post, I
> > have precised in an answer~[1] something that I thought unclear.
>
> Thanks for the followup. In terms of practical attacks, I think the
> point of per-message PFS vs longer-term PFS is not critical, as long as
> the time period that a key is maintained is relatively bounded.
>
> One thing that would be good to expand on is, assuming ring supports
> some sort of SMS-like service, how that works in terms of the
> combination of PFS and the other user being offline. Lacking a server,
> I would guess it's just retried until both are online, and then you can
> do the DTLS key agreement. Is that right?
>
--
Simon Désaulniers
address@hidden
ring:d92721cd88395f7c4953004cde769c4976cbe82c
signature.asc
Description: PGP signature