[Cryptography] Asynchronous forward secrecy encryption

[Felix Ruzzoli]

> I've been thinking about this for a while now and I don't see a way to
> do this with today's mobile devices without some external help.
>
> The issue is that it's pretty much impossible to delete data securely
> from a flash device.  That means that in order to guarantee PFS, you
> have to store the keys in memory only.  But again, in a mobile
> environment, you don't have access to stable memory either, because of
> the OS restarting your app, or the device itself rebooting.
>
> Let's call this the persistence/deletion issue.
>
> So, I submit that PFS in async messaging is impossible without help from
> some kind of ephemeral, yet persistent storage.  A possible solution
> might be to store a portion of the key material (through Shamir's secret
> sharing) on servers that you partially trust.
I believe that the memory on current smartphones running android is stable enough for the purpose.

I have a setup where the server stores some pre-generated DH keys in memory only. Clients would query for a key for every message they want to send in order to complete the DH agreement and send the encrypted message plus the public key needed for the other party's part of the protocol.

So obviously there is a small gap. If the process has been killed in between, the private key for decrypting that last message is lost. The best we can do in that case is to tell the other party that we could not decrypt that last message and they'd have to resend with a fresh key we just sent along.

Apart from the problem stated in the last paragraph, that would enable PFS with asynchronous messages with a relatively simple protocol. Or am I missing something here?

Regards,
felix