[messaging] Naming and classifying a security property
infinity0 at pwned.gg
Sun Sep 13 09:15:10 PDT 2015
On 13/09/15 17:50, Ximin Luo wrote:
> - chain-based ratcheting has this property - as the sender, you encrypt m[i] using k, then hash it and delete the original for m[i+1]. the recipient will need to keep extra state around if they want to handle out-of-order messages.
Whoops, this is wrong. It *doesn't* have the aforementioned property - someone that compromises the encryptor here can still decrypt all future ciphertexts.
It's not exactly Axolotl's so-called "future secrecy"  either. For example:
> - public key encryption has this property, if you don't also encrypt-to-yourself (which is a common default for GPG encryption :()
OTOH with this scheme, if the decryptor is compromised, then the attacker can here also decrypt all future ciphertexts, so it's not strictly "future secrecy".
I am wondering if we need more precise terms; compromise on the decryptor vs encryptor side can make a big difference. Arguably you want protection against both, but with a term like "future secrecy" you can argue/market that you have this property even if it applies only to one side.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Messaging