[messaging] Multiple devices and key synchronization: some thoughts

Mon Jan 5 16:18:45 PST 2015

On Mon, Jan 5, 2015 at 6:39 AM, Michael Rogers <michael at briarproject.org> wrote:
>
> On 04/01/15 18:40, Trevor Perrin wrote:
>
>> I was thinking a multidevice approach should have the same
>> flexibility, and should allow fingerprint authentication.  This is
>> possible provided you use signatures from a master key over device
>> keys, or synchronize the master private key to devices.
>
> What do you see as the benefits of fingerprint authentication? I see
> fingerprints as artifacts of our current crappy key distribution
> methods.

I think fingerprints are simple and versatile enough that they'll
always be useful.  I also think better fingerprint formats would
increase their appeal (e.g. using your sentence generator [1]).

But fingerprints (like business cards) were an example.  I think we're
really discussing the value of long-term identity keys:

> If Alice and Bob have established a shared secret (by whatever method)
> and they now have an authenticated channel (e.g. face to face) over
> which they'd like to confirm that they've arrived at the same secret,
> they can derive some values from the secret and compare them. They
> don't need long-term master keys, as far as I can tell.

I agree if Alice and Bob have some authenticated channel then
authentication is already taken care of.  So a long-term "identity" or
"master" public key isn't needed.

But for an email or text-messaging case such a channel might not
exist.  So I've been making different assumptions:
 (a) Alice wants to send Bob a message
 (b) Alice and Bob might have never communicated before
 (c) Bob (and all his devices) might be offline
 (d) Alice might be able to get some "identity info" about Bob's
public keys from a trusted third party (a mutual friend, a social
network, a PKI, a transparency log, Bob's business card, etc.)
 (e) Changing this "identity info" may be costly for Bob (telling all
his correspondents his info changed, changing a bunch of
registrations, getting new certificates, printing new business cards,
etc).
 (f) Alice can lookup Bob's shorter-lived and/or one-time "prekeys"
from some service (either centralized, or hosted by Bob's provider)
which is not trusted for confidentiality or authentication.

Under these assumptions I like having the "identity info" in (d) be an
"identity" or "master" public key (or fingerprint of same) that
doesn't change when you add new devices, so as to minimize the costs
in (e).

The most practical approaches are probably either synchronizing the
identity key between devices, or using it to sign device keys.  Either
way, adding a new device might increase communication in (f), since
Alice might have to retrieve additional device-specific prekeys,
and/or signed device keys.  But adding a device would not incur the
costs in (e), which is more important.

>> If you require interaction with one device to learn about others,
>> you lose "asynchronousness", and I'm not sure what you gain.  If
>> you're using different device keys not signed by a single key, you
>> lose fingerprint-ability.
>
> The process by which a device introduces a contact to its owner's
> other devices is asynchronous.

That's not asynchronous enough for email / text-messaging though (b, c).

> Taking into account that prekeys can be used in a p2p way, I agree
> that there are no strict advantages to the approach I suggested. But I
> don't see any strict disadvantages either - as far as I can see it's
> just a different way of achieving the same goals.

I probably depends on your assumptions / use cases.  If you only
establish connections face-to-face that can be authenticated via
device pairing (QR codes, SAS, etc), then you may be right that having
a single identity public key doesn't get you much.

Trevor

[1] https://moderncrypto.org/mail-archive/messaging/2014/000125.html