[Cryptography] Hohha quantum resistant end-to-end encryption protocol draft

Ersin Taskin hersintaskin at gmail.com
Thu Nov 22 14:38:39 EST 2018 

On Thu, Nov 22, 2018 at 1:11 AM Bertrand Mollinier Toublet <
crypto-metzdowd at bmt-online.org> wrote:

>
> > On Nov 21, 2018, at 7:31 AM, Ersin Taskin <hersintaskin at gmail.com>
> wrote:
> >
> > [snip]
>
> > So, I think PSK scheme is interesting. In fact, I cannot think of
> another option for an ultimately secure messaging system. I wonder why it
> is not mainstream, I don't know a messaging system that is PSK based or has
> PSK option. However, once you have PSK never go below. Once parties bother
> physical contact for PSK initialization, the rest must be based on a simple
> protocol which never goes outside the PSK initialization scheme. No online
> key exchange, no asymetrical encryption, nothing fancy/sexy/complex.
> >
>
> I disagree that “online key exchange” and “fancy/sexy” schemes “goes
> below” what PSK offer. As an example, let me refer you to MSL (
> https://github.com/netflix/msl) and specifically the Authenticated
> Diffie-Hellman key exchange section thereof (
> https://github.com/Netflix/msl/wiki/Authenticated-Diffie-Hellman-Key-Exchange
> ).
>
> The high level point: Authenticated Diffie-Hellman builds on top of a PSK
> use case, where both the (Netflix) device and the backend endpoint share
> the same key. We recognize though, that, with perfect forward secrecy in
> mind, it is not a particularly good idea to protect any on the wire message
> with the shared keys, and instead we proceed with a Diffie-Hellman key
> exchange, followed by further derivation of key material from the computed
> shared secret, with one of the shared keys.
>
> Should the shared set of keys ever be broken, captured past on-the-wire
> messages would not be decryptable by an attacked, because the attacker
> could not know the shared secret or anything deriving therefrom.
>
>
> In other words, reusing some of your vocabulary, we start from a PSK
> situation, but the Authenticated Diffie Hellman scheme allows us to go up
> from there to add PFS properties.
>

I think u confuse the persistent keys (PSK) with the session keys due to my
failure to explain clearly. Remember the context of the above summary
paragraph was criticizing the renewal of the PS keys in the Hohha protocol.
I say “you are saved from AE already,” not dh. I meant “don’t dictate to
renew the persistent keys on-line within some period M or number of
messages N”.

Thanks for sharing the links, which provide a good solution on the PSK
scheme I have in mind to secure the session with pfs.

Let me explain my context more clearly to prevent further confusion.

We aim an ultimately secure messaging system, which can communicate through
any channel (on the Internet) and store its messages anywhere (in the
cloud). The only constraint is the communication device. You can only use
one mobile device to read and write your messages. I.e. the messages are
plain text only at your mobile device screen. So the mobile device to use
with the PSK option is always with you like an extension to your body (just
like most people:)), unlike the set top box use case you mention. I will
not go into the details of mobile device implementation of trusted
execution environment at this level. You can imagine a smart phone designed
for the PSK option or any mobile phone with extension to fit the scheme. I
think this is close to what the Hohha creator(s) has in mind.

You create, store and share your PSKs only by your PSK mobile device. You
share them only offline requiring physical/proximity contact. This provides
the root of trust for message communication in the PSK scheme, I have in
mind. Session security can be done via Authenticated Diffie Hellman.

Some further clarification: Once the message is received, it is persisted
anywhere by the receiver who does not need the session keys to read the
message any longer. But this is not the case for the MIM. Session keys are
used to secure the communication for long-term persistence against mim. Mim
can store communication and wait for long until he can get PS keys. PSK
scheme is the persistent keys scheme. It is an alternative to AE not DH.
Session key management is another layer built on top.
The cloud storage service user credentials must be created, stored and
managed independently (in your brain for instance). If they are compromised
your data is safe because the attacker needs the relevant PS keys. If for
some reason your PS key is compromised which should be extremely difficult
and involve physical contact then you have a safety window to secure your
cloud service credentials, and once again the communication mim had stored
is also safe thanks to adh session key scheme.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20181122/d6dcf42e/attachment.html>

More information about the cryptography mailing list