[messaging] How secure is TextSecure?

Trevor Perrin trevp at trevp.net
Sat Nov 1 00:50:16 PDT 2014


On Sat, Nov 1, 2014 at 12:24 AM, Moxie Marlinspike
<moxie at thoughtcrime.org> wrote:
>> Rather puzzling, however: 1. They
>> claim that HMAC(key=constant, message=secret) is not provably a PRF.
>
> What's more puzzling is that we're not doing that.  We do
> HMAC(key=secret, message=constant).

They're talking about HKDF and the constant salt.  This is standard -
TextSecure does not have signed nonces to serve as an HKDF salt, so
the salt is constant (all zeros), per RFC 5869 or Hugo Krawczyk's
paper.

Moxie had good explanations of the other issues.


Trevor


More information about the Messaging mailing list