[Cryptography] Double ratchets, useful or PITA?

Ron Garret ron at flownet.com
Thu Oct 5 15:02:01 EDT 2017 

On Oct 5, 2017, at 9:50 AM, Phillip Hallam-Baker <phill at hallambaker.com> wrote:

> I am reading the double ratched docs again, trying to see if there is any real advantage over just doing a rekey.
> 
> My basic key exchange is to use a 3 or 4 way DH as follows (ignoring the mod p part)
> 
> Sender has long term credential {a, e^a} creates an ephemeral {x, e^x}. Sends public keys e^a, e^x to recipient.
> 
> Receiver has long term credential {b, e^b}, optionally creates an ephemeral {y, e^y}. Sends public keys e^b, e^y to recipient plus a witness value
> 
> Shared secret is s=KDF(e^abxy, m), witness value is KDF(e^abxy, w)
> 
> Receiver also replies with an opaque identifier for the connection of up to 1Kb (or so) which may be kerberos ticket style.
> 
> 
> I am anticipating a situation where Alice and Bob might have tens of different encrypted streams between them simultaneously. They might have a couple of web cams, a chat, shared desktop, etc. Some or all of these may be across different device pairs.
> 
> Yes, I can do the ratchet but it seems to me that it is not buying me a great deal that I can't get better by using the old ticket and shared session key to get a new ticket and session key.
> 
> I can always do s_n+_1 = KDF(e^abxy+s_n, m)
> 
> But what is that really buying me? I cannot expect every party to keep state on every possible sender/receiver pair. So an attacker can always say 'lets set up a completely new session'.
> 
> My protocol already has forward secrecy as the client and server both contribute a nonce per key exchange and discard it.

If it’s helpful, I wrote a Javascript reference implementation of the Signal double-ratchet:

https://github.com/rongarret/ratchet-js/

For session-based comms like real-time chat I think it’s probably worthwhile.  For asynchronous comms, probably not so much.  IMHO.

rg


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20171005/b5781876/attachment.html>

More information about the cryptography mailing list