[messaging] Forward secrecy and multiple devices

Ximin Luo infinity0 at pwned.gg
Fri Oct 31 07:14:04 PDT 2014

Forward secrecy is the inability to decrypt ciphertext after it's been decrypted the first time, by throwing away (enough of) the decryption key-material. If you want to be able to decrypt it indefinitely onwards, it defeats the point.

If you want to encrypt a message to multiple devices in a forward-secret way, the maximum you can achieve is to have it decryptable (i.e. not forward secret) until the last device that reads the message throws away its ephemeral decryption key, at which point you gain the property of "forward secrecy".

As long as key material exists somewhere to be able to decrypt whatever ciphertext you store wherever, *by definition* this situation is not forward-secret. Sorry...

The schemes other people described are forward-secret for only *part* of the message lifetime. It may be the case that these "partial" forward-secrecy schemes make sense for certain use cases. For example, if the (re-encrypted) ciphertext is only exposed on private infrastructure e.g. locally on each target device, or on "trusted third-party infrastructure" (lol), this may arguably be a bit safer than simply storing the original ciphertext (that was seen by the adversary) and ephemeral key. This is dangerous territory to go into, though.


On 31/10/14 13:04, Nadim Kobeissi wrote:
> Hi everyone,
> I've been wondering about how to make asynchronous forward-secret messaging systems work when the user is accessing message history from multiple devices.
> Say I send a bunch of messages from computer A to another user's computer U.
> Later, I buy myself a new computer B on which I want to download and decrypt my message history.
> If the messages I sent all relied on my long-term identity, then I can just use my long-term key pair to decrypt the messages on computer B and there wouldn't be a problem.
> However, I am wondering how that would work in case I was using forward-secret session keys that changed message by message. How would the session secrets be communicated across devices? How would computer B be able to decrypt my forward-secret messages sent from computer A?
> It would be great to hear the opinion of the many experts on this list regarding this matter.
> Regards,
> NK


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141031/13a7cc0f/attachment.sig>

More information about the Messaging mailing list