[Cryptography] [cryptography] Asynchronous forward secrecy encryption

Eugen Leitl eugen at leitl.org
Fri Sep 27 06:49:29 EDT 2013

----- Forwarded message from zooko <zooko at zooko.com> -----

Date: Fri, 27 Sep 2013 00:08:32 +0400
From: zooko <zooko at zooko.com>
To: Michael Rogers <michael at briarproject.org>
Cc: Randombit List <cryptography at randombit.net>
Subject: Re: [cryptography] Asynchronous forward secrecy encryption
User-Agent: Mutt/1.5.21 (2010-09-15)

Let me just mention that this conversation is AWESOME. I only wish the folks
over at Perry's Crypto List (http://www.metzdowd.com/pipermail/cryptography/)
knew that we were having such a great conversation over here.

On Thu, Sep 19, 2013 at 09:20:04PM +0100, Michael Rogers wrote:
> The key reuse issue isn't related to the choice between time-based and message-based updates. It's caused by keys and IVs in the current design being derived deterministically from the shared secret and the sequence number. If an endpoint crashes and restarts, it may reuse a key and IV with new plaintext. Not good.

Another defense against this is to generate the IV from the plaintext, possibly
from the plaintext in addition to other stuff. There are three things that you
might want to throw into your IV generator: 1. the plaintext, 2. a persistent
secret key used only for this purpose and known only to this client, 3. a
random nonce read from the operating system.

I would suggest including 1 and 2 but not 3.

This *could* be seen as an alternative to the defense you described:

> In the new design, the temporary keys are still derived deterministically from the shared secret, but the IVs and ephemeral keys are random.

Or it could be used as an added, redundant defense. I guess if it is an added,
redundant defense then this is the same as including the random nonce -- number
3 from the list above.


cryptography mailing list
cryptography at randombit.net

----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130927/1bd0dc5c/attachment.pgp>

More information about the cryptography mailing list