[liberationtech] Open Whisper Systems' neat asynch FPS "pre-keying"

Tom Ritter tom at ritter.vg
Thu Aug 22 20:09:02 PDT 2013 

> https://whispersystems.org/blog/asynchronous-security/
> Since these key exchange parts are ephemeral, recording ciphertext traffic doesn’t help a would-be adversary, since there is no durable key for them to compromise in the future.

I disagree.  PFS traffic today protected with 1024-bit DH will be
readable in 10 years, if not sooner, to organizations like the NSA.
In twice that time it may be cheap enough to be decryptable on a mass
scale.

Anyway, that's a nit.  My first thought is that the nastiest part of
this protocol is that Bob (a client) is trusting the server to give it
legitimate keys for Alice (the other client.)  The server can lie, and
hand out fradulent keys (I'll call one KeyF as opposed to a legit one
KeyA).

If the server lies, Bob will send a message to Alice, encrypted to KeyF.

If the message makes it's way to Alice, she'll be confused, because
she can't decrypt it.  The server won't see it.
If the server colludes with a network attacker, Bob will send a
message encrypted to KeyF, which the network attacker sees.  The
network attacker gives the ciphertext to the server who decrypts it,
and the network attacker also blocks the message from being sent to
Alice, so Alice is non the wiser.
If the server is compelled to provide fraudulent keys for Alice, then
the network attacker presumably has the private key, decrypts it, and
doesn't deliver it.

The server introduces a central component in this network.  A
component that must be secured quite thoroughly, trusted by all the
participants, and ultimately if it's Denial-of-Serviced takes down all
users' chats*.  It would be possible to build a protocol such that the
server is federated (e.g. I run my own server, and there's an open
protocol for all OTR apps [or all TextSecure-OTR apps] to know how to
query to find my server.)  Even if Moxie didn't want to build that
into TextSecure, there's no reason other OTR apps couldn't follow a
similar prekeying design with a federated prekey server.

*Of course there ways to resist DoS, but they add engineering cost.

-tom

More information about the liberationtech mailing list