<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Is there anything from OTR protocol v3 that can be leveraged for TextSecure? <a href="https://otr.cypherpunks.ca/Protocol-v3-4.0.0.html">https://otr.cypherpunks.ca/Protocol-v3-4.0.0.html</a><br>
</div><div class="gmail_extra"><br clear="all"><div>
<table cellspacing="0" border="0" cellpadding="0" width="100%">
<tbody>
<tr>
<td colspan="1" style="border-top:1px solid #ccc;padding:10px">
<table style="font:11px arial,sans-serif" cellspacing="0" border="0" cellpadding="0" width="100%">
<tbody>
<tr>
<td><b style="font-size:14px">Rich Griffin</b></td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td colspan="1" style="padding:0 0 10px 45px">
<table style="font:11px arial,sans-serif" cellspacing="0" border="0" cellpadding="0" width="100%">
<tbody>
<tr style="line-height:15px;color:#000" valign="top">
<td width="50%">
<br></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table cellspacing="0" border="0" cellpadding="0" width="100%">
<tbody>
<tr style="font:10px arial,sans-serif">
<td style="border-top:1px solid #ccc;padding-top:2px"><br>
</td>
</tr>
</tbody>
</table>
<div></div><div></div><div></div><div></div></div>
<br><br><div class="gmail_quote">On Sat, Feb 15, 2014 at 6:50 PM, Trevor Perrin <span dir="ltr"><<a href="mailto:trevp@trevp.net" target="_blank">trevp@trevp.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="">>> On 02/14/2014 01:38 PM, Trevor Perrin wrote:<br>
>>> (C) With no computers, there's various ways to agree on enough entropy<br>
>>> for an unlinkable online rendezvous:<br>
</div>...<br>
<div class="">>>> 4. Exchanging public-key fingerprints used to retrieve Diffie-Hellman<br>
>>> public keys (my suggestion).<br>
<br>
<br>
</div>Here's a better sketch of the "DH rendezvous" idea, fwiw.<br>
<br>
Users could create signed "introduction certificates" weekly, containing:<br>
- their long-term public signing key<br>
- a short-term DH key<br>
- their mailbox server's address<br>
- an expiration date<br>
- a signature over all values<br>
<br>
Users would publish these certs into an "introduction directory",<br>
which would be a widely mirrored repository of unexpired introduction<br>
certs.<br>
<br>
During an offline meeting, users would exchange their long-term<br>
fingerprints. They would then enter the other party's fingerprint<br>
into their app, which would perform some pre-rendezvous steps:<br>
- Retrieve the other party's introduction cert by querying one of the mirrors.<br>
- Calculate the DH shared secret between both parties' short-term DH keys.<br>
- Decide whose mailbox server to use as a rendezvous server, based on<br>
the shared secret. Also use the shared secret to derive the meeting<br>
ID and a symmetric key for encrypting KeyExchange messages.<br>
<br>
If Alice's mailbox server is being used for rendezvous, Alice will do<br>
the following:<br>
- Alice will have a bunch of "rendezvous tokens". Alice's mailbox<br>
server gives these tokens to its users via a blind signature scheme,<br>
so it can recognize authentic tokens but can't trace them.<br>
- Alice will use a rendezvous token to register the meeting ID with<br>
the mailbox server, and post up her encrypted KeyExchange (over Tor).<br>
The mailbox server will learn that one of its users is performing a<br>
rendezvous, but won't know that it's Alice.<br>
- Bob will contact Alice's server using the meeting ID, post his<br>
encrypted KeyExchange, and retrieve Alice's.<br>
- Alice will retrieve Bob's KeyExchange and the rendezvous is complete.<br>
<br>
<br>
Advantages vs. rendezvous server with introduction secrets:<br>
- The "introduction directory" is handling public data so can be<br>
mirrored widely (unlike a "rendezvous server" handling low-entropy<br>
meeting IDs).<br>
- The mailbox/rendezvous server only stores rendezvous messages<br>
associated with its own users, so is less susceptible to being flooded<br>
with junk.<br>
- The "rendezvous latency" is reduced since only KeyExchange messages<br>
need to be exchanged through the mailbox/rendezvous server (not key<br>
agreement messages).<br>
- Rendezvous can be done based on public data (fingerprints), instead<br>
of requiring a prior exchange of secrets.<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
Trevor<br>
_______________________________________________<br>
Messaging mailing list<br>
<a href="mailto:Messaging@moderncrypto.org">Messaging@moderncrypto.org</a><br>
<a href="https://moderncrypto.org/mailman/listinfo/messaging" target="_blank">https://moderncrypto.org/mailman/listinfo/messaging</a><br>
</div></div></blockquote></div><br></div></div>