[messaging] Giving new devices access to old messages

Nadim Kobeissi nadim at nadim.computer
Tue Apr 21 02:42:24 PDT 2015 

On Tue, Apr 21, 2015 at 4:18 AM, Trevor Perrin <trevp at trevp.net> wrote:

> On Mon, Apr 20, 2015 at 6:07 PM, Gary Belvin <gdb at google.com> wrote:
> > It seems to me that the challenge with this approach is authenticating
> the
> > requests before releasing a set of symmetric keys to your data.
>
> This could leverage existing mechanisms.  E.g. if multidevice support
> requires copying the long-term private key from old device -> new
> device, the "read-caps" could be sent along with the private key.
>
> If new devices are being provisioned with a passphrase and
> server-stored data, then whenever an old device downloads and decrypts
> some messages, it could upload passphrase-encrypted read-caps.
>

Arguably, there would be a slightly more concentrated attack surface on the
server storing all this data, since it collects a large number of
"read-caps" under a single passphrase. Would this not affect forward/future
secrecy claims?

Although, the usage of a passphrase *would* elegantly resolve
authentication matters. Overall, I like where Trevor is going with this. :-)

Nadim


>
> > It also change the semantics of "only the person
> > with the private key can read the message".
>
> I'd put it differently: This is just the old device giving messages to
> the new device.  We're trying to make it more efficient, but this was
> always possible.
>
> I would like to deprecate the semantics "any person with your
> long-term private key can decrypt all messages you've received".  If
> the long-term keys used for authentication are separated from the
> per-message keys used for sharing data, I would hope that also enables
> using more granular keys for forward-secure encryption.
>
> Trevor
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150421/ea73d3cb/attachment.html>

More information about the Messaging mailing list