[Cryptography] What is a secure conversation? (Was: online forums...)
ianG
iang at iang.org
Sun Dec 29 23:28:00 EST 2013
On 29/12/13 00:16 AM, Jerry Leichter wrote:
> On Dec 28, 2013, at 11:49 AM, Phillip Hallam-Baker wrote:
>> ...At some point it is going to be easier to design one protocol that
>> supports all the different messaging modes with security built in
>> rather than working out how to back-fit security into each legacy
>> protocol separately....
> Except that there is a line at synchronous vs. asynchronous
> communication that divides mechanisms with fundamentally different
> characteristics. Synchronous communication can have perfect forward
> security; asynchronous communications cannot.
Is that really the case? Synchronous comms can be recorded on or at the
node, it is only "on the wire" that it is somewhat easy to do things
like expunging ephemeral keys, but we've known for a long time that what
we can on the wire does not mean that this is the security job done.
In the alternate, asynchronous comms can have the same characteristic,
if the defence is deleting the keys.
> This division bothers me. It seems to me there's something missing in
> our descriptions so that we fail to capture the nature of this
> distinction. It feels as if there should be a continuum here, where you
> get full PFS for communications with an arbitrarily short lifetime,
> degenerating into the usual more limited guarantees for things that are
> stored long term. And I suppose you could come up with a simple theory
> along that line, where you need to retain keying material only as long
> as some message isn't delivered. But this seems very forced and
> unnatural. I think we're missing something.
Maybe it is just that with sync comms, we typically negotiate the
ephemeral key because we can in a handshake. There is a handshake, so
we tap in the ephemeral keys and use that.
Whereas with async comms, there is an assumption of fire-and-forget, no
handshake. So can we add the handshake back in?
If it was the old PGP days, no way. But if the mail client is even
slightly aware, why not? If a client can receive and process a mail,
why can't it talk to the other client and set up?
For those who've used OTR over gmail chat, one sees this in the live,
the OTR aware client sense the handshake message over the chat, and if
there isn't an OTR aware client on the other end (e.g., ordinary gmail
chat) then the user says "what's that?"
iang
More information about the cryptography
mailing list