[Cryptography] Ratcheting

Ralf Senderek crypto at senderek.ie
Mon Aug 31 14:16:50 EDT 2015


On Mon, 31 Aug 2015 10:28:52 Tobias Brennan writes:

> What sorts of attacks exists that might be able to compromise temporary
> secret keys during a conversation? some ideas:

> * (T1) someone could take the device Bob is using to talk to Alice.
> * (T2) an active attacker might perform an exploit on the software and
>   do a heartbleed style memory read to compromise the keys
> * (T3) same as T2 but full remote code execution
> * anything missing here?

You asked for a realistic threat model. In case of T2 when someone is able
to read substantial parts of the memory, there is not much left to protect.
But I think, the more realistic attack is the effect of malware on a user's
computer that allows "full remote code execution" with the user's access
permissions. In this case I find the idea interesting to *separate* the
secret key used to encrypt the conversation from the process environment
the user (and the malware) has access to.

There are several methods to perform this separation. One is to put the
message keys on a separate hardware (like the Crypto Bone) and another
method is to place the secret key into a space where a process with
higher access permissions can read it and allow the user (and the malware)
to authorize the use of these secrets by carefully crafted code that
elevated the permission for the required action. It is essential that
neither the user nor the malware can change this code. In this case
the user can be impersonated by the malware but the secret keys remain
unknown to the attacker, so that m2,m3, ... cannot be decrypted.

And of course there is a combination of both.

      --ralf



More information about the cryptography mailing list