[Cryptography] What is a secure conversation? (Was: online forums...)

Theodore Ts'o tytso at mit.edu
Mon Dec 30 18:14:02 EST 2013 

On Mon, Dec 30, 2013 at 03:35:01PM -0500, Jerry Leichter wrote:
> After some more thinking about this: Yes, the difference is
> fundamental; but the terms "synchronous" and "asynchronous" are
> almost incidental.
> 
> What's really different is whether there needs to be a round-trip
> communication before new data can be transmitted.

Yes.

> This is why
> chat with OTR can't be easily converted to "email with OTR", unless
> you're willing to go back to pre-SMTP, pre-queued messaging.
> (Which, BTW, is not as absurd an idea as it appears.  The Internet
> isn't what it was back when SMTP was designed.  Most hosts are up
> most of the time; most connections are live most of the time.
> Mobile hosts excepted - and they have other issues.)

I suspect a number of us have the use case (I certainly do) where I
invest my laptop with far more trust than my SMTP/IMAP server.  So in
that sense, my Linux laptop is "mobile", although it's not a mobile
handset in the way most people use the word "mobile.

My laptop is certainly not on the internet all of the time, and when
it is on the network, it may be behind some NAT box, hotel network,
etc.  So for me, using a PGP mail paradigm for my secure e-mail makes
a lot of sense.  Granted, this may not be a model that works for most
consumers, especially those who are using things like Chromebooks,
Windows 8 tablets, or other "thin clients".  (And apparently the NSA
is planning on moving strongly to thin clients to make it a lot harder
for a future insider leaker.  :-P)

> When you look at it this way, the magic properties of PFS seem much
> less magic. If I'm communicating with you, we could establish a key,
> then after each message replace the key by its one-way hash and
> discard the previous key.

That's certainly an interesting idea.  Obviously we'd want to have
some kind of sequence number embedded in the cleartext to make it
easier to handle the case where the messages get received out of
order, but that's an implementation detail.

If we assume that the NSA can't vaccuum up all of the e-mail messages,
then this could very well frustrate them if they lose an intervening
message.  Of course, this isn't something that the participants can
count upon.  This might not provide additional security in the case of
a user which is keeping local archives of sent messages (and the NSA
manages to seize or otherwise compromise one of the communicating
party's MUA), or if the e-mail quoting contains portions of previous
mail messages.

But if this could be made sufficiently easy to use, the benefits could
easily outweigh the costs of such a scheme.

					- Ted

More information about the cryptography mailing list