[messaging] Forward secrecy and multiple devices

Natanael natanael.l at gmail.com
Fri Oct 31 07:00:02 PDT 2014

Den 31 okt 2014 14:04 skrev "Nadim Kobeissi" <nadim at nadim.computer>:
> Hi everyone,
> I've been wondering about how to make asynchronous forward-secret
messaging systems work when the user is accessing message history from
multiple devices.
> Say I send a bunch of messages from computer A to another user's computer
> Later, I buy myself a new computer B on which I want to download and
decrypt my message history.
> If the messages I sent all relied on my long-term identity, then I can
just use my long-term key pair to decrypt the messages on computer B and
there wouldn't be a problem.
> However, I am wondering how that would work in case I was using
forward-secret session keys that changed message by message. How would the
session secrets be communicated across devices? How would computer B be
able to decrypt my forward-secret messages sent from computer A?
> It would be great to hear the opinion of the many experts on this list
regarding this matter.

Wouldn't label myself an expert, but my opinion is that you need to let the
devices sync the plaintext securely among themselves. So you don't let them
share original ciphertexts (which PFS would apply to), instead you encrypt
the logs with the public keys of your own devices.

Trying to keep forwards security among your own devices which aren't always
online simultaneously, as if they're all mirrored copies of the same
endpoint, requires that they can communicate so they can share session keys
and know when they can clear out old keys and ciphertexts. But there's no
reason to sync session keys and ciphertext when you can re-encrypt to your
own device specific keys. Besides, you might be compromising PFS of the old
conversations by trying to do the former (because you keep the keys longer
than you need) when you might as well use PFS as a part of your plaintext
log syncing (which preserves plausible deniability).

If you would be using a device which can't store and forward the logs, and
yet need to keep the logs, (J2ME feature phone), you'd need to use a
trusted one which can do so as a proxy (your own home computer?) for your
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141031/96cc4488/attachment.html>

More information about the Messaging mailing list