[Cryptography] Ratcheting
brennan.tobias at openmailbox.org
brennan.tobias at openmailbox.org
Mon Aug 31 04:28:52 EDT 2015
Hello!
I'd like to open a thread about ratcheting in messaging between two
parties. In particular the security it aims to provide and what threats
it protects against.
# Background
It looks like any good encrypted messenger must include a cryptographic
ratchet [1]: The part of a cryptographic protocol that constantly
refreshes keys to reduce the impact of a key being leaked. A couple
examples of this are the OTR ratchet [2] and Axolotl [3] (also used in
Pond [4]).
I found these protocols a bit complicated and in the interest of
designing something simple got thinking about the purpose of ratchets.
Also correct me if I'm wrong but some of the complexity in the Axolotl
is because it's designed to work over a lot of different transports
including SMS? So if restricted to TCP, a slightly simpler protocol
should be possible.
There seems to be 4 levels of security that are provided by increasingly
strong ratchets:
* (A) None. Alice and Bob just use their public keys to exchange a
secret upon which to build a secure channel.
* (B) Ephemeral key establishment. Alice and Bob generate and exchange
ephemeral keys at the beginning and use those to establish a shared
secret.
* (C) Consistent key update. Like B, but generating or deriving a new
shared secret every few messages.
* (D) Consistent ephemeral key reestablishment. Doing a new ephemeral
key establishment every few messages.
The problem with (A) is that a passive capture of the traffic can be
decrypted if alice or bobs key is compromised in future, (B) fixes this.
(B) should be secure against a man in the middle attack given that the
public private key communication they use is authenticated.
The worry about (B) that demands stronger security is that entire
conversations (that might last days) are encrypted using a single key,
if that key were leaked the entire conversation could be decrypted. (C)
attempts to fix this by "ratcheting" a key forwards (e.g. using a key
derivation function), in that case a compromise at message 'm' only
leads to decryption of later messages: m,m+1,m+2,.. The aim of (D) is to
limit the extent of a compromise to only a short number of messages
after the compromised one: m,m+1,m+2 (say).
# Threat Modelling
My understanding is that (A) is already secure against the Dolev-Yao
model/semantic security, so we are looking for realistic threats outside
of that model. The main one is conversations where Alice and Bob give up
their keys after the conversation and (B) is secure against this.
What sorts of attacks exists that might be able to compromise temporary
secret keys during a conversation? some ideas:
* (T1) someone could take the device Bob is using to talk to Alice.
* (T2) an active attacker might perform an exploit on the software and
do a heartbleed style memory read to compromise the keys
* (T3) same as T2 but full remote code execution
* anything missing here?
Trying to judge the importance of the security of C and D relative to
the cost of implementing them and what resources they require: I don't
think anything cryptographic can protect against T1 so users should
attempt to protect against it with physical security.
C is quite easy to achieve in a couple different ways, only requiring an
erasing PRNG or key derivation function. That protects against T2 and T3
since they older keys will have been erased from memory.
D is what things like OTR and ratchet do, one very heavyweight way to do
it is perform the full ephemeral establishment every message. Or you
could stagger it. This gets complicated and hard to get right. I think
it only protects against T2 though, not T3 so I doubt this is worth it.
A much better way to protect against T2 and T3 would be to secure the
implementation from vulnerabilities. Of course this is hard..
# Questions
What do you think? Is my analysis realistic? What important points am I
missing? Do we know of many real-life examples of attacks that ratchets
have or haven't protected against.
# Links
* [1] https://whispersystems.org/blog/advanced-ratcheting/
* [2] https://otr.cypherpunks.ca/Protocol-v3-4.0.0.html (No explicit
mention of "ratchet" but the section about Exchanging data covers it)
* [3] https://github.com/trevp/axolotl/wiki
* [4] https://pond.imperialviolet.org/tech.html
More information about the cryptography
mailing list