[messaging] "stxt", by Graydon Hoare
trevp at trevp.net
Mon Apr 28 07:03:23 PDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 4/22/14, 9:17 AM, Brian Warner wrote:
> My coworker Graydon (inventor of Monotone and Rust, and absolutely
> brilliant all-around genius, IMHO), asked me to forward along this
> description of an encrypted group-messaging system he's been
> working on, originally named "sneakertext" but now abbreviated to
There may be ideas here relevant to the multiparty message order /
transcript consistency discussion (and "KleeQ", which this is based
on, seems also relevant ).
But this simplifies the authentication from KleeQ in a way that seems
insecure to me.
In particular, there are no long-term public keys. Group key
agreement is done using unauthenticated DH . So an active attacker
could easily become a MITM between participants.
For authentication, there's mention of "triangulation"  where Alice
authenticates Bob by sending a nonce to Charlie and asking him to
forward it to Bob, who then sends it back to her. This is intended to
confirm that Charlie's Bob is the same as Alice's Bob. But a MITM
could simply forward the nonces.
The "traditional" approach is probably better: use identity public
keys and authenticated key agreement, and have parties corroborate Bob
by comparing their view of Bob's public key.
Another issue, inherited from KleeQ, is that messages within a group
are authenticated using only the group symmetric key . So I think
any member within a group could forge messages claiming to come from
For message authentication, it's probably better to either:
(a) Use an ephemeral/deniable signing key to sign messages encrypted
with the group symmetric key (like mpOTR); or
(b) Use pairwise symmetric keys between participants (like TextSecure).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Messaging