[Cryptography] Hohha quantum resistant end-to-end encryption protocol draft
Peter Fairbrother
peter at tsto.co.uk
Tue Dec 4 21:25:17 EST 2018
On 04/12/18 00:22, Ismail Kizir wrote:
> After all discussions on this group, I've been convinced to add
> forward secrecy to protocol.
> I've sent privately to some members a week ago, but I didn't want to
> send to group before having updated Whitepaper accordingly.
> Protocol now imposes HKDF described in RFC 5869
> (https://tools.ietf.org/html/rfc5869).
> And it provides forward secrecy.
> I updated Whitepaper accordingly
That's Good.
Some of the Bad:
1] Still has roll-your-own cipher algorithm.
2] Still has attacker-forcible default to DH, though at least maybe that
is now postquantum? I didn't look hard.
3] The hybrid DH protocol is FAR too complicated, and there are probably
half-a-dozen holes in it -
- eg the MITM measures don't work and don't prove anything: sending
lists of messages to resend is asking for trouble, especially as there
is no authentication: non-receipt of acknowledgement messages is easy
for an attacker to fake, as is stealing or breaking or apparently
breaking Bob's phone: and if FS is implemented properly Alice can't
resend messages anyway, as she doesn't have the key any more.
I assume MK is updated as mentioned in the FS part.
4] Still uses dedicated server.
5] Still too complicated, asks users to make security judgements.
Suggested solutions:
1] Remove algorithm choice; use only one well-tested cipher algorithm.
2] and 3] No DH. No real need.
4] Piggyback on some other, preferably encrypted/encryptable, messaging
protocol's servers.
5] Just doing the above will simplify it to the point where we can see
the wood from the trees. Then we might get some idea of whether it works
or not
(you didn't think that just doing the above would be enough, did you? :)
Peter Fairbrother
More information about the cryptography
mailing list