[messaging] Hold the Axolotl ratchet

Sebastian Verschoor s.r.verschoor at student.tue.nl
Tue Sep 22 14:57:33 PDT 2015

I thought of an attack on Axolotol that I believe is pointless, but maybe
one of you sees an application for an adversary that I didn't think of.

Alice and Bob are talking, and Bob wants to stop the root key from being
updated. The attack is simple: he ignores the last value of DHRr in the
messages that Alice sends. When sending, he keeps his value of ratchet_flag
to false: he keeps sending messages with the same old value of DHRs. From
Alice's perspective, Bob acts as if he had never received her latest
messages, yet keeps on talking. Because she cannot rule out that this is
indeed the case, she has to accept the messages. However, she cannot
updates her value of ratchet_flag until Bob sends a new DHR, so no more
randomness is introduced in updating the ratchet.

Like I said, I cannot find an application for this attack, for two reasons:

1. Bob is clearly cheating, but what does he, a dishonest participant, gain
from holding the ratchet? And if Bob is collaborating with a third party,
then why not leak the (key) information direct to them?
2. Alice can detect that something strange is going on, when Bob does this
but also replies to the messsages that she is sending. This depends on
whether Alice's client displays the messages in the order that they arrived
and were sent according to Axolotl, or on something else such as a
timestamp. In the latter case, Alice has no way of detecting that the above
attack is in progress.

Even though it seems like a useless attack, the fact that you have to rely
on the honesty of the other party to forward the ratchet seems like an
unwanted property...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150922/4f201cb1/attachment.html>

More information about the Messaging mailing list