[messaging] Key comparison [TextSecure]

[Linus Lotz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,
I just reread your message and saw that I missed that the attacker knows
B_priv. In this case he could decrypt the message but has to reencrypt
it for Bob, for which he would need to know one of Bobs private
original ephemeral keys or the private Identity Key of Alice:
HASH( DH(A_pub, B0_priv) || DH(A0_pub, B_priv) || DH(C0_priv, B0_pub) )
or
HASH( DH(A_priv, B0_pub) || DH(A0_pub, B_priv) || DH(C0_priv, B0_pub) )

Best Regards,
Linus

Am 01.09.2015 um 13:17 schrieb Linus Lotz:
> Hi, You should have a look at the 3 way DH in the axolotl
> ratchet[1]: master_key = HASH( DH(A, B0) || DH(A0, B) || DH(A0, B0)
> )
> 
> Where 'A' and 'B' are the identity keys and 'A0', 'B0' are the 
> ephemeral keys. For Textsecure the prekey is just the ephemeral key
> of the recipient.
> 
> Now let's assume an attacker Charlie can exchange the public prekey
> B0 with his prekey C0, but does not modify any of the identity
> keys (since this would be detected by comparing the fingerprints).
> Now if Alice(A) wants to write Bob(B) a message, she would generate
> the master_key as follows:
> 
> HASH( DH(A_priv, C0_pub) || DH(A0_priv, B_pub) || DH(A0_priv,
> C0_pub) )
> 
> If Charlie now intercepted a message that is encrypted with a key 
> derived from this master_key he could not decrypt it, since he
> does not know B_priv or A0_priv: HASH( DH(A_pub, C0_priv) ||
> DH(A0_pub, B_priv) || DH(A0_pub, C0_priv) ) ^^^^^^ (A0_pub would be
> attached to the message) And Bob cannot decrypt it either, because
> he does not know C0_priv. So in order to do the MitM attack Charlie
> has to get either get the private ephemeral key from Alice or
> modify the identity keys.
> 
> Best Regards, Linus
> 
> [1]https://github.com/trevp/axolotl/wiki
> 
> 
> Am 01.09.2015 um 09:54 schrieb N A:
>> Hi,
> 
>> I have a question regarding the comparison of key fingerprints
>> in the context of TextSecure. According to [1] TextSecure offers
>> the ability for two users to compare fingerprints of their
>> identity key out of band to detect a man in the middle attack. I
>> was wondering why the prekey which was used to start the session
>> is not part of the fingerprint? If the identity key of a user is
>> compromised, prekeys on the server could be replaced with forged
>> ones by an attacker who possesses the complete identity key. The
>> comparison of identity key fingerprints would not be able to
>> detect this. Including the prekey during key comparison would
>> ensure that users know for sure that―even in the presence of
>> compromised identity keys―no one posed as a man in the middle. Am
>> I missing something obvious?
> 
>> Many thanks in advance for your answers!
> 
>> --- [1] "How secure is TextSecure" 
>> [https://eprint.iacr.org/2014/904.pdf] 
>> _______________________________________________ Messaging
>> mailing list Messaging at moderncrypto.org 
>> https://moderncrypto.org/mailman/listinfo/messaging
> 
> 
> _______________________________________________ Messaging mailing
> list Messaging at moderncrypto.org 
> https://moderncrypto.org/mailman/listinfo/messaging
> 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV5Y7dAAoJEEsWX/59L3NtLNsP/RTFTEVjJElgnojW73wsP+rn
vQWQzcVf+TR+KYkoQ3hEOLhGPHvFrcCd30mT2W2puntz3Zcu8+l9zeBezjj9Pwww
EYnQ0cItron4WQt092uurIIlGGndx7pTfKSpa/pUFMBlqWIS0iV0f/XLdAmckfS3
dHNi08f+7YCWMwcLXExZaLfmJKVcxJPHiFOuUvKa76Ns/n4ZygU2J5s2NcSaBjLd
hBgd3TxqGyPXj2STODDloqZHyQYasebj7H3MrqZlQ2/HpSsvQtYDKcAiGV5GANge
ZyljThZH9WwlR2QZDweCQ98a9g2PsKTM/1asK5Hm/AJ5xGsrLmr8WiughnSvRMYQ
B+z7MJuTUh1Hx+/vQnMjTGStuYS7UPS1dPMFfSa+Y+k4oRCn+849gVlTRmNF0UxP
p32RitBbQq+kf/ZHmVlqX70QwkN9SUhEhgvHsXVONgCnZbTQdCR31xBGu9KuCxuV
a4m6CuUUA6+wJHqunB8Bxd9Cspc2ll0Xb5+akQJTIRmYmWi28ybJyX0cS1Nug36L
2EWP04Sdp723IOszQU+NZJXytB9mZBgKBBH9YIhCLZJJjTc1JTlWL2fSYGFQYIJP
8ylUzRB01yxljXJ1mlf13gvlBGsos9eDDiGIEFyZ/usMj3jQNT0pLaEqkLgTe6/G
MVpbmuRO9NxY4xDYV98h
=v/cS
-----END PGP SIGNATURE-----