[Cryptography] Double ratchets, useful or PITA?
Phillip Hallam-Baker
phill at hallambaker.com
Thu Oct 5 15:13:47 EDT 2017
On Thu, Oct 5, 2017 at 3:02 PM, Ron Garret <ron at flownet.com> wrote:
>
> On Oct 5, 2017, at 9:50 AM, Phillip Hallam-Baker <phill at hallambaker.com>
> wrote:
>
>
> If it’s helpful, I wrote a Javascript reference implementation of the
> Signal double-ratchet:
>
> https://github.com/rongarret/ratchet-js/
>
> For session-based comms like real-time chat I think it’s probably
> worthwhile. For asynchronous comms, probably not so much. IMHO.
>
What I am looking into doing right now is specifying the rekey mechanism
as follows:
* One of the outputs of the HKDF function is a 'RekeySalt' value
* Rekey Messages are authenticated and optionally encrypted under the
previous session key
* The RekeySalt value is the salt for the next HKDF Expand.
One of the peculiarities of the key agreement mechanisms that I am looking
at is that they all seem to be fixated on use of signatures for a key
agreement. Why not use a key agreement for a key agreement?
Both sides contribute an ephemeral key and an identity key, Bam, done!
Both sides are protected against perfidy by the other if they choose a
random ephemeral. It doesn't even need to be secret to protect against
small subgroup games.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20171005/8c5b14b7/attachment.html>
More information about the cryptography
mailing list