[messaging] Key comparison [TextSecure]

Jeff Burdges burdges at gnunet.org
Tue Sep 8 11:13:04 PDT 2015 

As an aside, there is not usually any on-going connection between
communications and identity keys, just their role in the initial 3DH.
An adversary with brief physical access to one participants state file
can therefore alter it to fake, MITM, etc. future communications. 

I've wondered if Axolotl based messengers should offer a "ratchet
fingerprint" derived as a hash of a previous root key value, much like
pond derives the symmetric key used to encrypt the Axolotl header.  Two
users could verify that their messenger state files have not been
tampered with by comparing ratchet fingerprints with one another. 

There is not a huge gain in security here since an adversary who could
rarely modify one participants state file could usually alter the
application code too.  I'd therefore rate the priority of providing
ratchet hashes as less than providing reproducible builds of the
application, operating system, and firmware, but it's definitely a
useful forensics tool though.

Also, there is a risk that users will violate the deniability provided
by 3DH when they compare ratchet keys, unless you provide some clever
way to do it (key poems?).  In fact, if you were not worried about
deniability, then you could make ratchet keys superfluous by having them
play an on-going role in the KDF used by Axolotl, but then every message
violate a user's deniability.

Jeff



On Tue, 2015-09-01 at 09:54 +0200, N A wrote:
> Hi,
> 
> I have a question regarding the comparison of key fingerprints in the
> context of TextSecure. According to [1] TextSecure offers the ability for
> two users to compare fingerprints of their identity key out of band to
> detect a man in the middle attack. I was wondering why the prekey which
> was used to start the session is not part of the fingerprint? If the
> identity key of a user is compromised, prekeys on the server could be
> replaced with forged ones by an attacker who possesses the complete
> identity key. The comparison of identity key fingerprints would not
> be able to detect this. Including the prekey during key comparison would
> ensure that users know for sure that―even in the presence of compromised
> identity keys―no one posed as a man in the middle. Am I missing something
> obvious?
> 
> Many thanks in advance for your answers!
> 
> ---
> [1] "How secure is TextSecure" [https://eprint.iacr.org/2014/904.pdf]
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150908/6300155f/attachment.sig>

More information about the Messaging mailing list